Leadership:  Contrarian  Rewards  Page  42 


BUSINESS  TECHNOLOGY  LEADERSHIP 


The  Global  State  of 

Inf  ormation  Security 2006 

®  The  best  security  practices: 

Who  has  them? 

®  Why  regulatory  compliance 
continues  to  lag 

®  Security  in  the  mid-market 

®  Data  from  7,791  information 
security  executives  in  50  countries 


Begins  on  Page  82 


_  GE 

Your  employees  aren’t  stubborn; 
their  brai  ns  are  hardwired  to  fear  I 
theunf  ami  I  i  /.  How  cognitive 
searc  can  help  you  overcome 

resistance  to  change.  Page  54 

BY  KOCH 


SEPTEMBER  15.  2006  |  $9.00  J  CIO.COM 


.INFRASTRUCTURE  LOG 


_DAY  12:  This  is  out  of  control.  No  one  can  get  real-time 
answers.  No  one’s  collaborating.  Web  conferencing  services 
are  driving  costs  through  the  roof.  Unmanaged  public  IM  is 
a  security  nightmare.  We  need  help. 

_Gil  brought  in  a  “collaboration  accelerator . ”  I  said  it 
looked  more  like  a  cannon.  He  said  I  had  a  small  mind. 

_DAY  14:  I’ve  found  a  better  way:  IBM  Lotus®  Sametime®  7.5. 
It’s  not  just  IM  and  Web  conferencing,  it’s  an  affordable 
platform  for  running  the  business  in  real  time.  It’s 
encrypted.  Has  tons  of  features  like  VoIP  and  location 
awareness.  And  it  works  seamlessly  with  leading  public  IM 
networks.  Everyone  has  real-time  answers  now. 

_Hey,  we’ve  even  recovered  most  of  our  employees. 


Lotus. 


Download  the  Lotus  Sametime  7.5  demo  at: 

IBM.COM/TAKEBACKCONTROL/SAMETIME 


Count  on  a  secure,  reliable 
infrastructure  for  all  your 
Internet-based  interactions. 


1  2006  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  "Where  it  all  comes  together.”  and  other  trademarks,  service  marks, 
and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


Every  day,  VeriSign  intelligent  infrastructure  services  deliver  the  real-time  information  that  the  world 
demands  in  order  to  make  faster  and  more  effective  decisions.  By  transforming  raw  data  into  actionable 
intelligence— up  to  18  billion  times  a  day— we  can  help  your  business  be  more  agile,  get  to  market  faster, 
and  enjoy  a  sustainable  competitive  edge.  VeriSign.®  Where  it  all  comes  together.™ 


www.verisign.com/intelligence 

Download  the  free  white  paper  on  intelligent  infrastructure  services. 


MMIHMIIMMMMMMM 
l  mimiimimmmmmimi 

\  MHIMIMMMMMMM* 


DELL"  POWEREDGE"  SERVERS 
FEATURE  THE  RELIABILITY  OF 
DUAL-CORE  INTEL®  XEON® 
PROCESSORS. 


Purely 

uncomplicated 

Dell  PowerEdge  Servers. 

Born  to  reduce  complexity. 

Behold  the  Dell  PowerEdge  family  of  servers. 
Fewer  system  images  help  you  save  time  during 
software  updates,  and  built-in  LCD  displays 
help  turn  datacenter  chaos  into  a  thing  of  the 
past.  For  a  360°  online  view  of  this  pure  leap 
forward,  visit  www.dell.com/poweredge.  Form 
combined  with  function.  It’s  your  enterprise. 

So  every  Dell  solution  is  purely  you. 


Purely  You 

See  the  Dell  difference  at 
www.dell.com/poweredge 
1.866.664.6518 


fl  ■ 


;  ‘fjl 


Dell  cannot  be  responsible  for  errors  in  typography  or  photography.  Dell,  the  Dell  logo  and  PowerEdge  are  trademarks  of 
Dell  Inc.  Intel,  Intel  logo,  Intel  Inside,  Intel  Inside  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of 
Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ©  2006  Dell  Inc.  All  rights  reserved. 


"People  have  a tendency  to 
try  to  Sell  technology,  but 
real  ly  the  CIO  heeds  to  listen 
for  the  business  problem," 
says  Dow  Chemical  CIO 
Dave  Kepler. 


L 


54  The  New  Science  of  Change 


cover  story  |  change  management  Nothing  is  more  frustrating  than 
trying  to  get  people  to  alter  the  way  they  do  things.  New  research  reveals  why 
it’s  so  hard  and  suggests  strategies  to  make  it  easier.  By  Christopher  Koch 


SEPTEMBER  15,  2006  |  VOL/19  |  NO/23 


Columns 


42  The  Road  Less 
Traveled 

i.t.  strategy  It’s  a  good  sign  when 
a  CIO  takes  a  different  path  from  his 
competitors.  By  Mike  Hugos 

46  Process  Pantomime 
leadership  When  form  substitutes 
for  substance,  you  have  an  IT  leadership 
problem.  By  Michael  Schrage 

50  Whose  Property? 
Whose  Rights? 

i.p.  To  understand  the  Chinese  attitude 
toward  intellectual  property  rights,  you 
have  to  first  understand  the  Chinese 
attitude  toward  property  and  toward 
rights.  By  William  Alford 


70  How  to  Put  the  Money  Where 
the  Mouse  Is 

e-commerce  With  a  flexible  IT  infrastructure,  streamlined  business 
organization  and  attention  to  customer  convenience,  E-Trade  is  modeling 
the  future  of  Web-based  banking.  By  Susannah  Patton 

82  |  The  Global  State  of  Information 
Security  2006 

security  survey  Some  areas  are  improving— slowly— but  security 
practices  are  still  immature  and,  in  some  cases,  regressing. 

Plus,  Security  in  the  Mid-Market:  Why  bigger  ain’t  necessarily  safer. 

By  Allan  Holmes 

97  Formula  for  Efficiency 

view  from  the  top  Low-margin  industries— such  as  chemicals— 
usually  don’t  invest  heavily  in  IT.  But  Dow  does.  Its  CEO  tells  us  why. 

By  Ben  Worthen 


more  » 


COVER  PHOTO  BY  ALFRED  PASIEKA/PHOTO  RESEARCHERS  INC. 


www.cio.com  |  SEPTEMBER  15,  2006  5 


content 


In  Every  Issue 


10  From  the  Editor 

There’s  no  reason  why  young  kids  can’t 
get  turned  on  to  IT.  CIOs  can— and 
should— help.  By  Abbie  Lundberg 

12  From  the  CEO 

In  which  the  old  story  of  alignment 
is  retold  and  reimagined. 

By  Michael  Friedenberg 

18  Inbox 

Readers  weigh  in  on  IPv6  and  business 
alignment. 

25  Trendlines 

».  A  new  world  of  risk 
Memory  on  a  sticker 
I  say  maintenance,  you  say  moolah 
^  Do  you  tube? 

►  Houston,  ITIL  solved  our  problem 
Pokerbot:  It  knows  when  to  hold  ’em 
Are  U.S.  CIOs  too  afraid  of  new 
technology? 

►  Smart  lessons  from  the  mavericks 

►  Server  virtualization:  The  real  savings 


37  Essential  Technology 

Retailers,  not  manufacturers,  have 
been  reaping  the  benefits  of  RFID. 
Here’s  what  needs  to  change. 

By  Thomas  Wailgum 


102  Index 


104  Endlines 

Adventures  in  customer  service 

By  Scott  Berinato 


(Cont.)  _  J 

WEbsItf 

I _  M 

i 

2006  * 

* 1 

TlONALBi!ittL 

J°URNALKuESs 

mRL[jSM  ^ 

[RESEARCH] 

Global  Security  Survey 

We’ve  now  gathered  four  years  of  data  on  the 
global  state  of  information  security.  This  year’s 
results  are  reported  in  depth  in  this  issue.  But 
there's  lots  more  online,  including  all  four 
years’  worth  of  data,  PDFs  of  this  year’s  charts, 
an  audio  roundtable  of  experts  discussingthe 
results  (see  below),  links  to  previous  years’ 
articles  and  much  more. 

))  www.cio.com/091506 


[LISTEN  IN] 

SECURITY  ROUNDTABLE 

What  do  the  experts  thinkof  “The 
Global  State  of  Information  Security 
2006”  survey  results?  Washington 
Bureau  Chief  Allan  Holmes  asked 
them.  Thisfrankand  lively  round¬ 
table  discussion  features  Ernie 
Hayden,  CISOforthe  Port  of  Seattle; 
Jason  Spaltro,  executive  director 
of  information  security  at  SonyPic- 
tures  Entertainment;  and  Jim  Lewis, 
director  of  the  Technology  and 
Public  Policy  program  atthe  Center 
for  Strategic  &  International  Studies. 
Listen  in! 

www.cio.com/podcasts/security.html 


WEB  2.0  WEEKEND 

“My  dirty  little  secret  is  that 
while  I  talk  a  good  game, 

I  don’t  use  many  of  these 
technologies  myself.  Yes,  I 
have  a  work  blog  and  a  Web- 
based  e-mail  account,  but 
I’ve  never  used  MySpace, 
built  a  website  or  made  a 
Skype  call.  This  weekend  I 
set  out  to  change  all  that....” 

blogs.cio.com/my-web-2- 

O-weekend 


»  Innovation  On  and  Off  the  Field:  Leadership  interview  with 
Football  Hall  of  Fame  Coach  Bill  Walsh,  conducted  by  CIO  Publisher 
Gary  Beach  at  our  recent  CIO  100  Symposium. 

www.cio.com/podcasts/authors.html 


6  SEPTEMBER  15,  2006  |  www.cio.com 


When  your  company  delivers  financial 


hange  artists 


8,000  times  a 


Wcitch  OUr  discussion  with  Reuters,  now  On  Demand  ,  In  an  industry  where  fortunes  change  in  the 
blink  of  an  eye,  one  company  stands  in  the  center  of  it  all.  On  the  latest  episode  of  “Change  Artists”  Reuters  CTO  Roy 
Lowrance  and  CEO  Tom  Glocer  discuss  how  innovation  and  constant  evolution  have  made  them  the  most  trusted 
name  for  news  and  financial  information.  Visit  hp.com/changeartists.  There  you  can  watch  the  webcast  and  go 
beyond  the  show  by  exploring  all  our  resources  for  understanding  and  mastering  change.  See  the  On  Demand 


replay  anytime  at  hp.com/changeartists. 

Produced  by: 

Broadcast  by: 

m 

invent 

cmi  m 

2006  Hewlett-Packard  Development  Company,  LB 


Is  your  business 


business? 

Ask  your  people. 


\ 


©  2006  Microsoft  Corporation.  All  rights  reserved.  Microsoft  is  a  registered  trademark  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries. 


Is  your  business  a  people J_ ready  business? 


Would  they  say  it's  a  good  place  to  work?  Hopefully.  But  that's 
only  part  of  what  makes  a  people-ready  business.  Casual  dress, 
scooter-friendly  hallways,  and  dogs  under  desks  are  great.  But 
they  don't  make  people  ready. 


So  ask  your  people  (and 
yourself)  these  questions.  The 
answers  will  tell  you  a  lot. 

Can  they  contribute  right 
off  the  bat?  What  good  is 
technology  no  one  wants  to 
use?  A  people-ready  business 
invests  in  software  that's  easy 
to  learn,  easy  to  work  with,  easy 
to  master,  and  doesn't  waste 
time  with  weeks  of  retraining. 

Can  they  get  to  all  the  data 
they  need?  If  people  are  going 
to  make  the  right  decisions  at 
the  right  time,  they  need  the 
right  information.  So  a  people- 
ready  business  invests  in  networks  that  reliably, 
dependably  connect  people  across  departments, 
offices,  and  continents. 

Can  they  collaborate  easily?  A  people-ready 
business  helps  its  people  work  together,  no  matter 
where  in  the  world  they  sit.  From  portals  to  e-mails, 
from  live  teleconferencing  to  IM,  in  hundreds  of 


different  ways  (and  languages), 
they're  dialed  in. 

Can  they  work  anywhere? 

Productive  people  aren't  tied 
to  their  desks.  With  mobile 
devices  and  remote  access, 
they  have  what  they  need  to 
get  the  job  done — whether 
they're  in  the  home  office,  a 
client's  office,  or  a  business 
lounge  in  Kuala  Lumpur. 

If  your  people  answered  "yes" 
to  these  questions,  congratula¬ 
tions — you're  a  people-ready 
business.  You've  got  a  founda¬ 
tion  of  powerful,  integrated 
software  and  systems  that  help  your  people  work 
to  the  fullest  extent  of  their  talent. 

If  your  people  answered  "no"  or  "sometimes," 
then  you  might  want  to  take  a  look  at  your 
technology  investment.  Which,  when  you  think 
about  it,  isn't  an  investment  in  technology  at  all. 
It's  an  investment  in  people. 


Do  your  people  have 
the  tools  they  need  to  do 
their  best  work? 


mmmemmmmm 


Microsoft 


j  FROM  THE  EDITOR 


Be  Cool 


There’s  no  reason  why  young 
kids  can't  get  turned  on  to  IT. 
CIOs  can— and  should— help. 


Our  Sept.  1  cover  story  dealt  with  the  challenges  of  finding,  training  and  retaining 
the  talent  you  need  for  your  evolving  IT  department.  In  it,  General  Motors  CIO  Ralph 
Szygenda  said,  “You’re  going  to  be  in  trouble  if  you’re  not  working  to  get  kids  inter¬ 
ested  in  IT.”  Szygenda  was  talking  about  college  kids  but  I  think  that’s  already  too  late. 
As  Phil  Zwieg,  VP  of  IS  of  Northwestern  Mutual,  said  in  the  same  story,  “There’s  much 
more  work  to  do  in  the  K-12  environment  to  encourage  math  and  science,  particularly 
with  girls.”  (For  more  on  K-12  IT  educa¬ 
tion,  see  “Computer  Education’s  Failing  Getting  kids  together  to  learn 
Grade,”  www.cio. com/090106.)  about  technology  in  a  hands- 

There  are  many  ways  to  get  kids  on  setting  with  no  grade  pres- 
excited  about  science  and  technology,  sures  will  lead  them  to  form  a 
but  focusing  purely  on  the  business  deeper  interest, 
case— or  even  the  technology— won’t 

work.  Kids  want  to  do  what’s  cool,  and  given  some  of  the  kid-driven  stuff  going  on  now 
(My Space,  YouTube,  iTunes),  it  shouldn’t  be  too  hard  to  engage  them. 

Here  are  just  a  few  things  that  CIOs  and  their  companies  can  do  to  help. 

Support  science  programming:  Kids  form  their  interests  early  on.  My  teenager 
got  hooked  on  science  by  PBS’s  Bill  Nye  the  Science  Guy  back  when  she  was  just  six  or 
seven  years  old.  Corporations  helped  fund  the  show. 

Fund  scholarships  and  grants:  Raytheon  ambitiously  launched  MathMovesU 
(■ www.mathmovesu.com ).  An  annual  $1  million  grant  goes  toward  classroom  help  for 
middle-school  teachers  and  schools  and  scholarships  for  students  who  write  essays 
on  how  to  make  math  cool.  Raytheon  teamed  with  MathCounts,  a  nonprofit  that  pro¬ 
motes  excellence  in  math  among  middle  school  students. 

Engage  personally:  Zwieg  has  his  IT  HR  team  set  up  career  information  sessions  at 
local  high  schools.  Just  remember:  Keep  it  cool! 

Partner  with  others:  This  summer,  my  daughter  spent  three  weeks  at  the  Advanced 
Biotechnology  Institute  ( www.biotech-institute.org ),  where  she  had  the  chance  to  study 
biotech  and  medicine  with  other  high  school  juniors  and  seniors.  The  kids  did  lab 
work,  visited  local  companies  to  see  biotech  in  action,  heard  lectures  from  visiting 
scientists  and  spent  two  days  meeting  with  researchers  at  the  National  Institutes 
of  Health  in  Bethesda,  Md.  Larry  Murphy,  a  high  school  science  department  head, 
founded  the  Advanced  Biotechnology  Institute  because  he  believed  that  getting  kids 
together  to  learn  about  biotech  in  a  hands-on  setting  with  no  grade  pressures  would 
lead  them  to  form  a  deeper  interest.  He  was  right.  My  daughter  now  tells  me  that  she 
sees  great  opportunities  in  a  field  she  once  thought  beyond  her  reach.  I  don’t  know 
why  this  model  wouldn’t  work  in  IT,  with  CIOs  as  the  visiting  lecturers,  and  field  trips 
to  organizations  doing  cool  things  with  IT. 

Do  you  know  of  an  innovative  program  to  interest  younger  kids  in  science  and 
technology?  Let  us  know  about  it  and  we’ll  publicize  it.  That’s  how  we  can  help. 


Abbie  Lundberg,  Editor  in  Chief 
lundberg@cio.com 


10  SEPTEMBER  15,  2006  |  www.cio.com 


PHOTO  BY  STEVEN  VOTE 


34  weeks  from  MOW: 
Hackistan04  exploits  a  security 
flaw,  steals  customer  records 
and  brings  your  system  to  its 
knees.  Party's  over. 


MGC  $168.23 


Wouldn't  you  rather  know  NOW? 

. 


75*4  of  hacks  are  made  possible  by  software  vulnerabilities.  That's  why  Fortify  strengthens 
applications  at  the  source:  the  code  itself.  What's  that  mean  for  you?  A  little  more  sleep  at 
night.  While  the  hackers  take  the  plunge.  Visit  fortifysoftware.com/10Q  for  10  questions  you'd 
better  ask  to  be  sure  your  company's  assets  are  secure. 


FD  RTIFY 


SOFTWARE 


FROM  THE  CEO 


From  Alignment  to 
Convergence 

In  which  an  old  story  is  retold  and  reimagined 

CIO  Publisher  Gary  Beach  and  I  recently  received  this 
question  from  a  friend  of  ours  in  the  market: 

I  recently  reviewed  research  indicating  that  CIOs  don’t 
want  to  hear  about  “aligning  IT  to  the  business.”  That’s 
old  news.  Instead,  they  want  to  hear  about  how  CIOs  are 
contributing  to  the  business,  how  they’re  innovating  for 
business  value.  What  are  your  thoughts? 

Beach:  Alignment  is  still  important,  but  it  seems 
the  leading  CIOs  have  taken  alignment  to  the  next 
level:  the  convergence  of  business  and  technology  strategies. 

An  IDC  study  this  past  spring  reported  that  50  percent  of  CIOs  claim  their  focus 
this  year  will  be  enabling  growth  and  innovation.  Within  24  months,  that  number 
will  increase  to  nearly  80  percent.  Ralph  Szygenda,  GM’s  CIO,  said  it  best:  CIOs  are 
morphing  from  being  information  “caretakers”  charged  with  keeping  the  shop  run¬ 
ning  to  being  “business  brokers”  focused  on  transforming  the  business. 

Friedenberg:  While  alignment  is  necessary  for  success,  the  message  itself  has 
become  dull.  What  CIOs  are  talking  about  is  the  need  to  create  business  readiness, 
reliability  and  resilience.  The  alignment  and  convergence  of  the  business  and  IT 
goals  achieve  this  while  transforming  people,  processes  and  the  products  they  pro¬ 
duce.  Marc  West,  CIO  of  H&R  Block,  and  Bill  Morgan,  CIO  of  PHLX,  recently  shared 
with  me  their  view  that  the  need  for  alignment  will  never  go  away,  but  it’s  the  execu¬ 
tion  behind  the  alignment  that’s  essential. 

Another  way  to  think  about  this  is  in  light  of  how  our  economy  is  changing  from 
transaction  to  interaction-based.  How  can  businesses  use  IT  to  deliver  customer 
loyalty?  This  is  going  to  be  the  new  value  proposition  against  which  every  successful 
CIO  will  be  measured.  Hope  this  helps. 

What  do  you  think?  Did  Gary  and  I  give  sound  advice  or  steer  a  pal  wrong? 


BUSINESS  TECHNOLOGY  LEADERSHIP 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

CXO  MEDIA 

CIRCULATION 

svp,  circulation  Carol  A.  Spach 
subscription  svcs.  supervisor  Tina  Pescaro 

CIO  EXECUTIVE  COUNCIL 
GENERAL  MANAGER  Mark  Hall 
program  director  Shaw  Lively 
vp,  development  Dexter  Siglin 
managing  dir.,  content  development  Richard  Pastore 
dir.,  external  relations  Karen  Fogerty 
director  of  research  Michael  Swenson 
marketing  communications  manager  Jennifer  Baker 
mgr.  of  operations  and  project  mgmt.  Jean  Costello 
director  of  development  Steve  Rovniak 

PROGRAM  SERVICES  MANAGERS 

Michael  Fahlsing,  Ellen  Friedman,  Bill  Golden, 
Carrie  Mathews,  Bill  Roche 

DEVELOPMENT  MANAGERS 

Patrick  Clarke.  Lauren  DeLong,  Steve  Dodman, 
Robert  Graham,  John  Harrison 

EXECUTIVE  PROGRAMS 

vp,  executive  programs  Ellen  Daly 
dir.,  business  development  John  Vulopas 
director,  event  marketing  Mary  Conroy 
conference  manager  Judith  Kittredge 
event  planner  Sarah  Reagan 
event  coordinator  Bethany  Whiffin 
client  relations  associate  Lisa  Byron 
client  services  specialist  Cress  O'Brien 

INFORMATION  SYSTEMS 

idg  dir.  of  information  services  Nancy  Newkirk 
lead  developer  Sean  McCracken 
senior  user  support  specialist  Christopher  A.  Kay 
user  services  specialist  Gloria  Lam 
senior  web  developer  David  Cohen 
web  developer  Sanghee  Seo 

PRODUCTION 

VP,  MANUFACTURING  Chris  CuOCO 
production  manager  Heidi  Broadley 
associate  production  manager  Lisa  M.  Stevenson 

MARKETING 

SR.  DIRECTOR,  MARKETING  COMM.  Sue  YanOVitch 
sr.  marketing  comm,  specialist  Susan  Murray 
marketing  comm,  specialist  Lynn  Holmlund 

RESEARCH 

research  director  Lorraine  Cosgrove  Ware 
research  manager  Carolyn  Johnson 

ADMINISTRATION 

coo  Matt  Smith 

dir.,  finance  Margarita  Chiango 

FINANCIAL  ANALYST.  ONLINE  AND  INTEGRATED  PRODUCTS 

Chris  Bernardi 

executive  assistant  to  the  president  Diane  Martin 
accounting  specialist  Joyce  Gillis 
facilities  specialist  John  Kelley 
office  services  coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

vp,  human  resources  Patricia  Chisholm 
sr.  hr  representative  Beth  S.  Ramistella 


international  data  group 
board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 


Michael  Friedenberg,  President  and  CEO 

mfriedenberg(a)cio.com 


12  SEPTEMBER  15,  2006 


www.cio.com 


PHOTO  BY  CHRISTOPHER  HARTING 


r 


J! 


I  N  C. 


*BPA 


It's  fundamental  to  your  business.  Are  you  leveraging  your  location  data? 


Customer  addresses,  time  zones,  office  facilities,  service  areas,  political  boundaries,  critical  shipments, 
utility  networks,  field-workers,  real  estate,  mobile  assets,  and  warehouses — location  is  mission  critical 
in  every  organization. 


By  leveraging  the  location  information  that  is  inherent  in  your  information  systems,  you  can  manage 
your  organization  more  efficiently  and  cost-effectively,  helping  you  gain  a  competitive  advantage. 

ESRI  technology  is  a  standards-based,  scalable,  and  interoperable  platform  that  can  exploit  location 
data  in  your  business  processes.  With  ESRI  geographic  information  system  (GIS)  technology,  you  can 
make  location  information  and  analysis  available  to  the  people  in  your  organization — at  all  levels — 
who  need  it  most. 


To  learn  more  about  leveraging  your  location  data,  please 
visit  www.esri.com/it  or  call  1-888-373-1192. 

You  have  the  location  information;  put  it  to  work  for  you. 


ESRI 


Copyright  O  2005  ESRI.  All  rights  reserved.  The  ESRI  globe  logo,  ESRI,  ArcMap,  www.esri.com,  and  Ardnfo  are  trademarks,  registered  trademarks,  or  service  marks  of  ESRI  in  the  United  States,  the  European  Community,  or  certain  other  jurisdictions 


BUSINESS  TECHNOLOGY  LEADERSHIP 


WHAT  WE  COVER,  WHOM  TO  CONTACT 


CIO  CAREER 
■Skills 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

EDITORIAL 

editor  in  chief  Abbie  Lundberg 
managing  editor  David  Rosenbaum 

EXECUTIVE  EDITORS 

Christopher  Koch,  Elana  Varon 

WASHINGTON  BUREAU  CHIEF 

Allan  Holmes 

TECHNOLOGY  EDITOR 

Laurianne  McLaughlin 

SENIOR  EDITORS 

Stephanie  Gelston,  Stephanie  Overby 

SENIOR  WRITERS 

Meridith  Levinson, 

Thomas  Wailgum,  Ben  Worthen 

CONTRIBUTORS 

William  Alford,  Ben  Ames,  Scott  Bermato, 
Mike  Hugos,  Sumner  Lemon, 
Susannah  Patton,  Michael  Schrage,  Matt  Villano 

EDITORIAL  ADMINISTRATOR 

Jill  Paquette 

DESIGN 

EXECUTIVE  DIRECTOR,  ART  AND  DESIGN 

Mary  Lester 

art  director  Terri  Haas 

ASSOCIATE  ART  DIRECTORS 

Matthew  Goebel,  Chandra  Tallman 

COPY  TEAM 

ASSISTANT  MANAGING  EDITOR 

Emily  S.  Henderson 

SENIOR  COPY  EDITORS 

Diann  Daniel,  Cathy  Mallen 

COPY  EDITOR 

Susan  Bryant-Still 

EDITORIAL  ASSISTANTS 

Margaret  Locher,  Christopher  Lynch, 
Katherine  Walsh 

ONLINE  EDITORIAL 

WEB  EDITORS 

Sandy  Kendall,  Paul  L.  Kerstein, 
Christopher  Lindquist 

ONLINE  NEWS  WRITER  Al  SaCCO 

online  copy  editor  David  Gradijan 
RESEARCH 

RESEARCH  DIRECTOR 

Lorraine  Cosgrove  Ware 

RESEARCH  MANAGER 

Carolyn  Johnson 

CXOXMEDIA  INC. 

INTERNATIONAL  data  group 
board  chairman  Patrick  J.  McGovern 

PRESIDENT,  IDG  communications  Bob  Carrigan 


*BPA 

©CXO  Media  Inc. 


■  Job  Specs 

■  Career  Path 

■  Professional  Development 

■  Personal  Development 

Stephanie  Gelston,  sgelston@cio.com 
Meridith  Levinson,  mlevinson@cio.com 

LEADERSHIP  &  MANAGEMENT 

■  Governance  &  Alignment 

■  Budget  Management  &  IT  Value 

■  Business  Process  Redesign 

■  Management  Methodologies 

■  Project  Management 
Christopher  Koch,  ckoch@cio.com 
Elana  Varon,  evaron@cio.com 

SOURCING  &  STAFFING 

■  Staffing 

■  Vendor  Management 

Stephanie  Gelston,  sgelston@cio.com 
Stephanie  Overby,  soverby@cio.com 

RISK  MANAGEMENT 

■  Security 

■  Business  Continuity 

■  Compliance 

Allan  Holmes,  aholmes@cio.com 
Ben  Worthen,  bworthen@cio.com 


ENTERPRISE 

INFRASTRUCTURE 

■  Enterprise  Architecture,  SOA 

■  Middleware 

■  Enterprise  Resource  Management  (ERP) 

■  Supply  Chain  Management  (SCM) 

■  B2B  Electronic  Commerce 

Christopher  Koch,  ckoch@cio.com 
Thomas  Wailgum,  twailgum@cio.com 
Ben  Worthen,  bworthen@cio.com 

CUSTOMERS 

■  Customer  Resource  Management  (CRM) 

■  B2C  E-Commerce 

■  Business  Intelligence 

■  Privacy 

Allan  Holmes,  aholmes@cio.com 

TECHNOLOGY 

■  Emerging  Technology 

■  Networking  &  Communications 

■  Data  Center 

■  Storage 

■  Hardware 

■  Wireless/Mobility 

■  Knowledge  Management 
Christopher  Lindquist,  clindquist@cio.com 
Laurianne  McLaughlin,  lmclaughlin@cio.com 
Thomas  Wailgum,  twailgum@cio.com 

GOVERNMENT 

Allan  Holmes,  aholmes@cio.com 


COLUMN  &  DEPARTMENT  CONTACTS 


Applied  Insight 

Christopher  Koch,  ckoch@cio.com 

Book  Reviews 

Laurianne  McLaughlin,  lmclaughlin@cio.com 

By  the  Numbers 

Laurianne  McLaughlin,  lmclaughlin@cio.com 

Endlines 

David  Rosenbaum,  drosenbaum@cio.com 

Essential  Technology 

Laurianne  McLaughlin,  lmclaughlin@cio.com 

Forum 

David  Rosenbaum,  drosenbaum@cio.com 

InBox 

Cathy  Mallen,  cmallen@cio.com 

Keynote 

Elana  Varon,  evaron@cio.com 


Martha  Heller 

Stephanie  Gelston,  sgelston@cio.com 

Michael  Schrage 

Abbie  Lundberg,  lundberg@cio.com 

On  the  Move 

Meridith  Levinson,  mlevinson@cio.com 

Peer  to  Peer 

Elana  Varon,  evaron@cio.com 

Susan  Cramm 

Stephanie  Gelston,  sgelston@cio.com 

Total  Leadership 

Elana  Varon,  evaron@cio.com 

Trendlines 

Laurianne  McLaughlin,  lmclaughlin@cio.com 


e-mail  letters@cio.com  phone  508  872-0080  fax  508  879-7784  address  CIO  Magazine,  CXO  Media  Inc., 
492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208  website  www.cio.com 
subscriber  services  866  354-1125  •  Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprint  services  Jennifer  Eclipse  •  PARS  International  •  212  221-9595  ext.  237  •  E-mail  jeclipse@parsintl.com 
rights  and  permission  Yadira  Pizarro  •  212  221-9595  ext.  231  •  E-mail yadira@parsinti.com 


14  SEPTEMBER  15,  2006  |  www.cio.com 


Copyright  2006  Apani  Networks,  Inc.  Apani  Networks,  EpiForce,  the  Apart!  Networks  logo  design  and  the  "Apani  Picketers"  icons  are  registered  trademarks  of  Apani  Networks.  Inc.  All  rights  reserved. 


WORRIED  ABOUT  D  E  -  P  E  R  I  M  E  T  E  R  I  Z  AT  I  O  N  ? 

IF  YOUR  DATA  COULD  TALK,  YOU  WOULD  BE. 

It's  no  secret  that  the  network  perimeter  has  many  holes.  Globalization,  outsourcing  and  wireless  technology 
has  made  the  perimeter  difficult  to  define,  let  alone  protect.  Leaving  your  data  dangerously  exposed. 
The  results  could  be  disastrous.  Enter  EpiForce™  from  Apani  Networks™,  with  a  new  security  architecture 

used  by  some  of  the  world’s  largest  organizations.  EpiForce™  was  designed  to  protect  ^ _ _ _ ♦™ 

inside  the  perimeter,  which  helps  secure  your  entire  network  -  and  your  peace  of  mind. 


Apani 


To  learn  more  about  securing  inside  the  network  perimeter,  get  a  free  copy  of  "The  Definitive  Guide 
to  Security  Inside  the  Perimeter"  by  Rebecca  Herold  at  www.apani.com/cioguide. 


what  do  you  see? 


. .  IBM,  the  4BM  logo,  ibm.com,  Innovator’s  Innovator  and  What  Makes  You  Special?  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the 
United  States  and/or  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  others.  ©  Copyright  IBM  Corporation  2006.  All  rights  reserved. 

4$  t;  ;  .Vjv  \  •  •  . 


what  makes  you  special? 


what  does  your  CEO  see? 


After  all,  the  closer  your  shared  vision,  the  greater  your  chance  for  success.  With  that 
in  mind,  we  spoke  to  765  CEOs  around  the  world  about  innovation,  collaboration  and 
other  key  issues.  Find  out  what’s  important  to  them  now,  what’s  coming  in  the  future  and 
what  it  all  means  for  you,  the  CIO.  Get  our  exclusive  report  featuring  their  uncensored 
views  and  opinions.  You  may  find  you  and  your  CEO  more  closely  aligned  than  ever. 


To  get  the  CIO  implications  report  based  on  the 
CEO  Study,  go  to  ibm.com/special/cio2 


READER  FEEDBACK 


AUGUST  is. 


business 


technology  leadership 


the  2006  nn 

CIO  100 


Innovatio 


Growth 


©Revenue  Generation 

®  Productivity  Enhancemen 


®  New  Products 
®  New  Markets 

THE19TH  ANNUAL 

AWARDS  ISSUE 
BEGINS  ON  PAGE  44 


Delivering  on  IT 

In  your  From  the  CEO  piece  in  the  Aug.  : 
15  issue,  you  state  that  on  average,  70  per¬ 
cent  of  IT  projects  go  over  budget,  don’t 
meet  specifications  and  don’t  finish— seri¬ 
ous  problems  we’ve  grappled  with  in  IT  for 
many  years.  Having  spent  over  25  years  in 
IT,  both  working  directly  for  a  number  of 
Fortune  100  companies  and  consulting  at 
many  more.  I’ve  made  three  key  observa¬ 
tions  as  to  why  we  can’t  seem  to  improve 
IT  delivery: 

1.  Most  companies  do  not  have  business 
process  maps  that  are  owned  and  main¬ 
tained  by  the  business  unit.  This  requires 
IT  to  continually  revisit  this  information 
with  clients,  and  at  great  cost.  Management 
doesn’t  understand  the  value  of  this  invest¬ 
ment,  and  the  scarcity  of  resources  further 
exacerbates  the  problem. 

2.  Similarly,  technology  maps  tend  to  be 
done  as  a  snapshot  and  are  rarely  maintained 


as  companion  documents  to  business 
process  maps.  In  combination,  these 
living  documents  could  be  powerful 
tools  that  define  the  integrated  “as  is” 
and  “to  be”  states  necessary  to  move 
forward.  Again,  these  are  typically 
done  as  single-use  documents  that 
lose  their  value  shortly  after  a  proj¬ 
ect  is  completed. 

3.  Finally,  many  companies  have 
implemented  an  IT  project  manage¬ 
ment  methodology  but  continue  to 
miss  the  mark  when  estimating 
the  time  and  resources  necessary 
to  complete  projects.  More  often 
than  not,  the  project  team  is  forced 
to  back  into  target  dates,  and  IT 
staff  must  either  take  shortcuts 
and  risk  delivering  a  poor-qual¬ 
ity  product,  or  deliver  late.  Unre¬ 
alistic  expectations  are  set  with 
clients,  who  are  undoubtedly 
skeptical,  yet  complicit  in  that 
they  continue  to  accept  the  status  quo. 

These  are  three  actionable  areas  that 
IT  workers  could  focus  on  to  improve 
their  long-term  ability  to  deliver  quality 
systems  that  meet  user  requirements. 
Embracing  these  requires  leadership  that 
understands  the  investment  value  and  is 
proactive  versus  reactive.  Just  as  we  some¬ 
times  “don’t  see  the  forest  for  the  trees,” 
today’s  CIOs  rarely  see  the  opportunities 
for  their  own  priorities.  Shortsightedness 
is  rewarded,  and  that’s  all  that  matters. 

CAROLYN  TROIANO 

IT  Outreach 

"Communicating  IT's  Value:  Tools  and 
Tactics”  by  Sari  Kalin  [Aug.  1,]  is  bristling 
with  ideas  for  engaging  business  in  our 
IT  work.  We  follow  much  of  the  wisdom 
presented,  including  formal  presentations, 
targeted  customer  publishing  (though 


we  need  to  do  much  more  in  the  canned 
presentation  area)  as  well  as  the  ambassa¬ 
dorial  approach  of  CompuCredit.  Thanks 
for  focusing  on  this  critical  task  of  getting 
IT  understood  by  internal  business 
customers. 

CAM  BOYCE 

Communications  Director 

Office  of  the  Chief  Information  Officer 

Food  and  Drug  Administration 

Building  Alignment 

I  just  read  your  story  “How  to  Align  IT 
with  Business  Innovation”  [Trendlines, 
Aug.  1].  Many  businesses  that  I  deal  with 
talk  about  enterprise  architecture  and 
architects  only  in  the  context  of  defining 
and  delivering  the  technologies  and  IT, 
much  like  Alexandra  Heymowska  has 
done.  As  an  enterprise  architect,  the  first 
thing  I  worry  about  is  the  top-level  busi¬ 
ness  model— how  it  is  constructed  and 
optimized  to  satisfy  the  business  goals, 
objectives  and  strategies.  After  that  is 
understood,  the  technologies  and  IT  can 
be  assessed  and  aligned  to  ensure  the 
business  needs  are  met. 

Enterprise  architecture  and  architects 
must  move  away  from  thinking  only  about 
satisfying  business  needs  via  technology 
and  IT.  It  is  the  enterprise  that  they  are 
responsible  for  architecting,  not  only  the 
technology  and  IT  of  the  enterprise.  The 
businesses  that  have  established  enter¬ 
prise  architecture  teams  can  do  a  lot  to 
improve  their  business  by  giving  the 
architects  in  that  team  the  responsibility 
and  leadership  for  architecting  the  busi¬ 
ness,  and  then  also  aligning  the  technol¬ 
ogy  and  IT  to  that  business  architecture. 

I  think  the  enterprise  architects  all 
around  the  world  understand  their  respon¬ 
sibilities  but  are  challenged  like  many  of 
us  because  they  are  labeled  as  IT  people. 


18  SEPTEMBER  15,  2006  |  www.cio.com 


automation  &  control  •  building  technologies  •  energy  &  power  •  financial  services  •  hearing  solutions  •  home  appliances  •  information  &  communication 
lighting  *  material  handling  *  medical  solutions  •  transportation  •  water  technologies  usa.siemens.com 


■  •**'  »*-!**>, 


P  H  .X 


Who  provides  thousands  of  US  municipalities  and  industries  with 

safe,  clean  and  reliable  water? 

We  do.  Innovations  from  Siemens  can  be  found  everywhere. 

As  the  leader  in  North  America  for  water  and  wastewater 
equipment  and  services,  we  make  water  systems  more  reliable 
and  efficient.  Every  day  we  treat  hundreds  of  millions  of  gallons 
of  water  that  serves  communities,  industries  and  businesses. 

At  Siemens,  our  innovations  help  turn  dreams  into  reality. 


SIEMENS 

Global  network  of  innovation 


it 


InBox 


They  have  much  more  to  give  to  the  busi¬ 
ness  than  just  effective  technology  and  IT 
architectures. 

STEVEN  ARBOGAST 

President 
QualiWare  Inc. 

IPv6:  Hype  or  Hornet’s  Nest? 

This  article  [“China  Builds  a  Better  Inter¬ 
net,”  July  15]  presents  the  issue  as  a  gloom- 
and-doom  scenario,  which  it  isn’t.  Unless 
China  releases  its  stranglehold  over  its  own 
people’s  use  of  the  Internet,  there  is  no  way 
it  is  going  to  be  able  to  control  other  nations 
used  to  having  that  freedom.  IPv6  is  only  a 
protocol— a  method  for  getting  information 
from  one  place  to  another  that  has  certain 
advantages  over  IPv4  but  isn’t  a  “killer  app” 
in  and  of  itself.  I  think  the  author  exagger¬ 
ates  the  point  to  stress  that  the  United  States 
needs  to  be  more  proactive  about  moving 
to  IPv6,  which  it  should  be.  But  competing 
over  a  protocol?  Let’s  get  real. 

ANONYMOUS 


Despite  the  concerns  regarding  privacy 
and  Big  Brother-related  issues,  it  is  time 
to  seriously  look  into  the  applications  and 
innovation  capabilities  of  IPv6  rather  than 
waiting  to  fix  all  the  loopholes. 

RANJAN  KINI 

Professor  of  Management  Information  Systems 
Indiana  University  Northwest 
rkini@iun.edu 

Implementation  of  IPv6  is  agonizingly 
slow  in  most  commercial  environments 
because  of  the  expense  of  upgrading  exist  - 

20  SEPTEMBER  15,  2006  |  www.cio.com 


ing  infrastructure.  Although  IPv6  has  a 
name  similar  to  the  ubiquitous  IPv4,  v6 
is  truly  a  different  protocol  because  of  the 
requisite  change  in  addressing  within  the 
packet  header.  In  simple  words,  migrating 
to  an  IPv6  environment  is  akin  to  migrat¬ 
ing  a  network  from  SNA  to  IP— not  a  job  to 
be  done  overnight. 

China’s  desire  to  implement  a  national 
IPv6  network  is  admirable  and  could  be 
as  significant  as  the  original  Internet  ini¬ 
tiated  by  DARPA.  However,  China’s  ulti¬ 
mate  Internet  success  is  more  dependent 
upon  its  ability  to  develop  the  research 
facilities  to  build  upon  an  IPv6  backbone 
than  being  dependent  upon  simple  con¬ 
struction  of  a  national  IPv6  backbone. 
If— and  that’s  a  big  if— it  can  stimulate 
native  network  research  capabilities,  then 
it  stands  a  chance  to  leapfrog  beyond  the 
traditional  American  networking  technol¬ 
ogy  base. 

On  the  other  hand,  there  are  numerous 
American  and  European  research  organiza¬ 
tions  such  as  the  University  of  New  Hamp¬ 
shire’s  Interoperability  Lab  that 
play  in  the  same  space  as  China’s 
Next  Generation  Internet  and 
will  likely  introduce  technology 
beyond  even  IPv6. 

STEVEN  FULTON 

Director 

Fidelity  Investments 


IPv6  is  an  accepted  Internet 
standard,  not  something  that 
China  has  cooked  up  on  its 
own.  It  makes  sense  for  China, 
as  it  builds  out  its  Internet  infra¬ 
structure,  to  use  the  latest  technology.  The 
ability  to  support  IPv6  must  be  built  into 
the  various  routers  and  switches  that  carry 
Internet  traffic. 

Oddly  enough,  as  most  of  the  world  is 
headed  toward  faster  and  cheaper  Internet 
service,  U.S.  telcos  are  asking  Congress  for 
the  right  to  slow  or  block  some  traffic  and 
to  charge  even  higher  fees  for  data  trans¬ 
mission  through  a  tiered  transmission 
scheme— free  of  the  pesky  “net  neutrality.” 
JIM  BOOTH 

CIO,  Spectre  Systems  Inc. 


No  Dinosaurs  Here 

I  think  you  measure  CIOs  incorrectly 
[From  the  Editor,  “Are  You  a  Dinosaur?” 
July  15].  There  are  some  people  who  are 
limited,  but  I  think  most  CIOs  are  aware 
of  new  technology.  Many  of  us  know  the 
cool  things  going  on.  The  question  is,  how 
ready  is  the  user  community  to  embrace 
them  and  how  do  they  work  in  the  corpo¬ 
rate  plan?  Are  they  really  cost-effective? 
Are  they  a  security  risk?  Are  they  tested 
in  the  business  community?  Bleeding 
edge  is  no  fun.  Leading  edge  is  a  ball. 
TERRY  FREEZE 

CIO,  National  Safety  Associates  LLC 
t.freeze@nsai.com 

No  one  at  any  level  can  afford  to  neglect 
learning  and  adopting  the  advancements 
and  innovations  in  technology  and  the 
Web.  And  your  staff  will  emulate  its  leader. 
Set  the  tone  by  demonstrating  your  com¬ 
mitment  to  learn,  adapt  and  change,  and 
they  will  embrace  it  too. 

KEN  BURBARY 

Senior  Vice  President,  Director  of  Engineering 
Campbell  Ewald 

kburbary@campbell-ewald.com 


Calling  in  the  Cavalry 

"How  to  Hook  the  Talent  You  Need” 
[Sept.  1]  was  a  very  interesting  and  infor¬ 
mative  article,  but  please  note  the  follow¬ 
ing  passage: 

“A  talent  war  is  brewing,  and  CIOs  can¬ 
not  wait  for  the  calvary  to  ride  over  the  hill 
with  the  right  recruits.”  Calvary  is  a  hill 
located  in  Jerusalem.  I  think  the  word  you 
were  thinking  of  in  this  context  was  “cav¬ 
alry.”  Cheers. 

RYAN  THIBODEAU 

IT  Manager 

Athens  Banner-Herald 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to  letters@ 
cio.com.  Letters  may  be  edited  for  length  or 
clarity.  To  find  the  articles  mentioned,  go  to 

www.cio.com/archive. 

cio.com 

i 


WHATEVER  CHOICE  YOU  MAKE,  YOU’RE  TOAST. 


You  know  that  the  only  way  to  succeed  is  by  serving  your 
customers  better.  But  what  organization  can  afford  to 
throw  endless  dollars  at  improving  the  customer 
experience?  With  RightNow,  you  don’t  have  to  make  a 
deal  with  the  devil. 

RightNow  provides  a  breakthrough  solution  that  lets  you 
enhance  your  customer  experience  while  reducing  costs. 
By  delivering  knowledge  at  every  customer  touchpoint, 
RightNow  helps  you  grow  your  business,  one  customer 


experience  at  a  time.  We’ve  enabled  more  than  a  billion 
successful  customer  interactions  for  our  clients  in  every 
major  industry.  Chances  are,  we  can  help  you,  too. 

Find  out  why  RightNow  leads 
in  client  satisfaction.  Download 
your  free  executive  summary  of 
CRMGuru’s  Solutions  Guide  at 
www.rightnow.com/toast  or  call 
us  toll-free  at  1.877.363.5678.  TECHNOLOGIES 


BOARD  OF  ADVISERS  '06 


CIO  wishes  to  acknowledge  the  2006  Editorial  Advisory  Board  members  for  their  ongoing 
guidance  and  reality  check  of  the  magazine’s  content  and  focus.  We  thank  them  for  their 
generosity  in  sharing  their  insight  into  the  world  of  IT  leadership. 


GREGOR  BAILAR 

CIO 

Capital  One 
Falls  Church,  Va. 


PAUL  J.  GAFFNEY 

EVP,  Supply  Chain 
Staples 

Framingham,  Mass. 


REBECCA  R.  RHOADS 

CIO 

Raytheon 
Lexington,  Mass. 


DOUG  BARKER 

CEO 

Barker  and  Scott  Consulting 
Washington,  D.C. 


ANDY  GEISSE 

CIO 

AT&T 

San  Antonio 


LARAINE  RODGERS 

President 

Navigating  Transitions 
Tucson,  Ariz. 


WAYNE  D.  BENNETT 

Partner 
Bennett  Law 
Wellesley,  Mass. 


JOHN  GLASER 

VP  &  CIO 

Partners  Healthcare 
Boston 


JAMES  F.  SUTTER 

Senior  Partner 

The  Peer  Consulting  Group 

Newport  Beach,  Calif. 


LARRY  BONFANTE 

CIO 

United  States  Tennis  Association 
White  Plains,  N.Y. 


SCOTT  HEINTZEMAN 

CIO 

Carlson  Marketing  Group 
Plymouth,  Minn. 


RICHARD  W.  SWANBORG  JR. 

President 

ICEX 

Boston 


SHEILA  DONAHOE 

CIO 

Bluegreen 
Boca  Raton,  Fla. 

MICHAEL  EARL 

Professor  of  Information 
Management,  Dean  of 
Templeton  College 
Oxford  University 
Oxford,  England 


C.  LEE  JONES 

Chairman,  President 
&CEO 

Essential  Group 
Gurnee,  Ill. 

SUSAN  S.  KOZIK 

EVP  &  CTO 
TIAA-CREF 
New  York  City 

BUD  MATHAISEL 

Corporate  VP  &  CIO 
Solectron 
Milpitas,  Calif. 

SHELEEN  QUISH 

Former  CIO 
U.S.  Can 
Lombard,  Ill. 


PATRICIA  WALLINGTON 

President 
CIO  Associates 
University  Park,  Fla. 

ROBERT  P.  WEIR 

VP,  Information  Services 
Northeastern  University 
Boston 

STEVE  WILLIAMS 

SVP&CIO 
Mattress  Giant 
Addison,  Texas 


22  SEPTEMBER  15,  2006  |  www.cio.com 


^  sterling  commerce 


An  AT&T  Company 


Assure  flawless  information  hand-offs  and  make  your  systems  collaborate  the  way  75%  of  the  FORTUNE®  100  do. 

If  your  company  depends  on  partners  outside  your  control,  you  should  depend  on  Sterling  Commerce.  Only 
Sterling  Commerce  Multi-Enterprise  Collaboration  (MEC)  solutions  allow  you  to  optimize  communities,  pro¬ 
cesses  and  technology.  So  you  can  leverage  your  current  assets  with  configurable  software  and  services 
built  on  a  services-oriented  architecture,  ready  for  implementation  right  now.  You  get  visibility  into  your  entire 
value  chain  and  increased  control  moving  forward.  With  over  30,000  customers  worldwide,  we're  sure  to  have 
a  solution  that  pleases  you. ..and  your  customers.  Visit  us  at  www.sterlingcommerce.com 


©2006  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerce,  Inc.  Sterling  Commerce  is  an  AT&T  company.  FORTUNE  is  a 
registered  mark  of  Time  Inc. 


www.sas.com/subzero 


r 


k 


how  to  put  the  freeze  on  warranty  issues  and  improve  customer  satisfaction. 


Sub-Zero  Freezer  Company  and  its  corporate  companion,  Wolf  Appliance  Company,  understand  that 

. 

quickly  identifying  and  resolving  warranty  issues  is  the  key  to  better  product  quality,  lower  warranty  costs 
and  greater  customer  satisfaction.  That’s  why  Sub-Zero  and  Wolf  chose  SAS  as  its  business  intelligence 
,  partner  for  warranty  analysis.  To  learn  more  about  Sub-Zero  and  other  SAS  success  stories,  visit  our  Web  site. 


JIM  BAKKE 

PRESIDENT  AND  CEO, 

SUB-ZERO  FREEZER  COMPANY 
AND  WOLF  APPLIANCE  COMPANY 


SAS  gives  Sub-Zero  and  Wolf 


.  ^ 


trendlines 

EDITED  BY  LAURI ANNE  McLAUGHLIN  NEW  *  HOT  *  UNEXPECTED 


A  New  World  of  Risk 


Protect yourcompany  when  it takestheglobal  plunge 


risk  management  This  summer’s  train  bombings  in  Mumbai  hit  close  to 
home  for  American  CIOs  with  offshore  operations  in  India.  This  time,  no  U.S.  com¬ 
panies  reported  major  interruptions.  But  in  an  increasingly  integrated  world,  CIOs 
can’t  afford  to  be  reactive  in  their  management  of  global  risk,  says  Paul  Laudicina, 
recently  appointed  chairman  of  A.T.  Kearney  and  author  of  World  Out  Of  Balance: 
Navigating  Global  Risks  To  Seize  Competitive  Advantage. 


CIO:  You  formed  A.T.  Kearney’s  Global 
Business  Policy  Council  (a  cross-section 
of  business  and  policy  leaders)  more  than 
a  decade  ago  to  study  geopolitical  shifts 
that  could  shape— or  shake— the  business 
environment.  What’s  changed? 

Paul  Laudicina:  During  those  halcyon 
days,  we  were  just  beginning  to  reap  the 
benefits  of  global  integration  and  people 
thought  that  globalization  would  con¬ 
tinue  on  uninterrupted  as  an  ever-more 
positive  series  of  developments.  It  wasn’t 
until  the  bursting  of  the  tech  bubble, 
corporate  scandals  like  Enron  and 
WorldCom,  9/11  and  the  other  shocks  that 
occurred  around  the  turn  of  the  century 


that  people  became  more  aware  of  the 
negative  side  of  global  connectedness. 


What’s  the  CIO’s  role  in 
managing  geopolitical  risk? 

CIOs  are  on  the  front  lines  and 
they’re  beginning  to  worry 
much  more  broadly 
about  what  their 
exposure  is,  particu¬ 
larly  with  offshore 
IT  and  business 
process  outsourcing. 

The  first  wave  of  offshoring 
was  focused  on  application 
development  Continued  on  Page  26 


■  V  lit 
W  V 


HP’s 
wireless 
wonder: 
The  size  of 
a  grain  of 
rice. 


MEMORY  ON 

memory  Hewlett-Packard 
has  created  a  prototype  wireless 
memory  chip  the  size  of  a  grain  of 
rice  that  holds  up  to  4  megabits  and 
attaches  like  a  sticker  to  paper  or 
plastic.  HP  says  its  Memory  Spot, 
which  includes  a  built-in  antenna, 
could  be  used  to  attach  digital  infor¬ 
mation  to  documents,  photos  and 
packages.  For  example,  companies 
could  add  audio  or  video  clips  to 
brochures,  or  place  authenticity 


A  STICKER 

data  on  packaging. 

The  chip's  antenna  can  transfer 
data  at  speeds  up  to  10Mbps,  about 
10  times  faster  than  Bluetooth  tech¬ 
nology  and  close  to  the  speed  of  Wi¬ 
Fi.  Data  on  a  Memory  Spot  could  be 
accessed  using  specialized  reader 
devices,  as  well  as  cell  phones, 
PDAs,  cameras  and  printers,  if  HP 
can  convince  device-makers  to 
build  in-readers. 

While  not  expected  to  ship  com¬ 


mercially  for  several  years,  a  Memory 
Spot  can  store  more  data  than  radio 
frequency  identification  technology. 

The  chip's  size  could  also 
help  corporate  thieves  steal 
data,  though  this  risk  can  be  man¬ 
aged,  via  the  same  type  of  strong 
security  policies  that  you  should 
already  be  imposing  to  cover  risks 
like  portable  USB  drives,  says 
James  McQuivey,  a  professor  at 
Boston  University’s  College  of 
Communication. 

-Sumner  Lemon 


ILLUSTRATION  BY  ROBERT  NEUBECKER;  PHOTO  COURTESY  OF  HP 


www.cio.com  |  SEPTEMBER  15,  2006  25 


TRENDLINES 


I  Say  Maintenance, 


vendor  management  If  men  are  from  Mars  and  women 
are  from  Venus,  CIOs  and  CMOs  must  be  in  different  solar  systems. 

At  least  that's  the  conclusion  of  "C-Tech,"  a  recent  study  from  New 
York-based  research  firm  Doremus. 

The  study,  querying  400  C-level  execs  at  Fortune  500  firms, 
revealed  CIOs  have  overwhelming  distrust  for  independent  technol¬ 
ogy  vendors,  and  by  extension,  their  chief  marketing  officers.  In  partic¬ 
ular,  the  study  noted  that  CIOs  and  vendor  CMOs  use  the  same  words 
to  describe  what  they  mean  by  service,  but  their  meanings  differ. 

“One  says  service  and  the  other  thinks  price,”  says  Lou  Rubin, 
managing  director  of  DPrime  Consulting,  a  division  of  Doremus.  Rubin 
adds  that  Doremus  hired  an  ethnographer  to  delve  into  the  discrepan¬ 
cies  between  meanings,  and  this  specialist  determined  that  "none  of 
these  technology  leaders  has  defined  a  set  of  terms.” 

Another  example:  To  CMOs,  trust  means  fulfilling  service  agree¬ 
ments,  but  to  CIOs,  it  means  anticipation  of  problems.  Total  cost  of 
ownership  and  return  on  investment  also  cause  trouble,  Rubin  notes. 

Semantics  wasn't  the  only  sore  subject  unearthed  in  the  report: 
CIOs  also  criticized  product  vendors  for  problem  resolution.  They  too 
often  replace  technology  instead  of  finding  solutions,  CIOs  said. 

According  to  Rubin,  CIOs  can  get  better  service  by  requesting 
explicit,  incentive-laden  service  level  agreements  (SLAs).  Rubin  sug¬ 
gests  CIOs  only  sign  SLAs  tied  to  vendor  follow-through  and  success. 

"At  this  point  the  Holy  Grail  is  a  service  agreement  that  rewards  both 
parties  for  achieving  certain  performance  metrics,”  he  says.  "This  kind 
of  contract  may  be  the  only  way  to  restore  trust."  - Matt  Villano 


©ONLINE 

Do  You  Tube? 

YouTube,  which  lets  users  post  and  share  short  video  clips, 
and  social  networking  site  MySpace  have  both  moved  out  of 
the  realm  of  interesting  and  into  the  realm  of  online  giants. 
Check  out  their  latest  stats: 


100  million+ 


65,000+ 


C 


Videos  watched  on 
YouTube  daily 

New  video  clips  uploaded 
to  YouTube  daily 


■Lit  .  -  :  ' : 


CO  O  miiMAM  Unique  visitors  per  month 

pZ-3  million  toMySpace.com 


1. L  SOURCE:  Com  sc  ore 


m 


Continued  from  Page  25 


and  maintenance,  both  of  which  have  relatively  con¬ 
tained  levels  of  risks.  But  as  higher-level  processes 
like  R&D  and  design  work  go  offshore,  the  risks 
increase.  Today,  CIOs  have  to  consider,  “What  do  I 
do  if  my  financial  data  is  lost  or  pirated?  Or  if  our 
operations  are  interrupted  by  a  terrorist  attack?” 


Do  traditional  business  continuity 
plans  provide  enough  protection? 

Companies  need  to  have  a  com¬ 
prehensive  risk  management 
plan.  That’s  a  plan  that  looks  at 
all  the  important  earnings  driv¬ 
ers  for  a  company  and  all  the 
important  processes  they  have  in 
place  around  the  world  that  could 
affect  those  drivers.  You  catalog  all  the  things  that 
could  happen  and  develop  risk  mitigation  plans 
for  them.  You  have  to  make  some  hardheaded 
cost -based  analyses  of  what  risks  you  can  afford  to 
manage,  and  create  very  clear  accountability. 

What’s  the  role  of  technology  in  comprehensive 
risk  management? 

The  CIO’s  role  is  not  just  to  enable  the  company 
to  operate  more  efficiently  and  keep  global  IT 
and  operations  running,  but  also  help  the  com¬ 
pany  understand  how  to  use  technology  to  wire 
around  some  of  problems  that  may  otherwise 
bedevil  a  company  that’s  growing  globally. 

After  9/11,  if  you  looked  at  economic  indicators 
there  was  a  slowdown  but  technological  indica¬ 
tors  increased.  Companies  were  using  technology 
to  wire  around  other  potential  interruptions.  At 
Sun,  for  example,  they’ve  developed  a  software 
application  that  tracks  and  earmarks  events  that 
could  affect  their  supply  chain,  from  geopolitical 
issues  to  regulatory  change  in  China.  We’re  see¬ 
ing  the  beginnings  of  innovation  in  this  area. 

Is  there  an  upside  to  global  uncertainty? 

By  identifying  risks,  you  are  often  able  to  identify 
opportunities.  While  creating  a  risk  management 
strategy  for  a  consumer  products  company,  we 
identified  the  risks  associated  with  some  of  their 
existing  suppliers.  But  in  the  process  of  doing 
that,  we  uncovered  new,  lower  cost  suppliers  they 
would  have  never  looked  into  had  they  not  been 
concerned  about  their  existing  risk. 

-Stephanie  Overby 


PAUL 

LAUDICINA 


26  SEPTEMBER  15,  2006  |  www.cio.com 


PHOTO  COURTESY  OF  A.T.  KEARNEY 


*  - 


mP'&z.  ■'•'m 


Manpower  Professional  offers  skills  training  and  job  placement  for  permanent  and  contract  positions  in  IT,  engineering 
and  other  quickly  evolving  fields.  Get  up  to  speed.  Call  866-  531-0797  or  visit  www.manpowerprofessional.com/change. 


2 


Manpower 

Professional 


© 


§ 


i 


TRENDLINES 


:  ( 
i  I 


Houston, 

Solved  Our 
Problem 


CHANGE  STUDIES 

Could  your  IT  team  band 
together  to  save  the  Apollo 
13  astronauts?  That’s  the 
mission  for  participants  in 
a  novel  IT  Infrastructure 
Library  (ITIL)  training  pro¬ 
gram  run  by  CA  (formerly 
Computer  Associates). 

Knowing  the  Apollo  13 
story  (in  which  astronauts  and 
NASA  scientists  modified  a 
lunar  excursion  module  to  get 
astronauts  home  safely)  doesn’t 
equal  success  in  this  class.  Par¬ 
ticipants  in  the  one-day  role- 
playing  course  are  dealt  cards 
that  ask  them  to  solve  Apollo 
13  operational  issues;  if  they 
don’t  apply  processes  properly, 


they  can’t  progress  toward 
winning  the  game.  Between 
rounds,  players  brainstorm  on 
how  to  improve. 

ITIL,  a  customizable  frame¬ 
work,  provides  guidelines  to 
help  IT  departments  coor¬ 
dinate  their  processes  and 
deliver  the  best  IT  service— for 
instance,  quick  problem  reso¬ 
lution.  ITIL  typically  involves 
big  change  for  IT  departments, 
because  work  that  was  being 
done  ad  hoc  must  be  done  in 
formal  steps.  Another  change: 
People  must  understand  IT 
processes  outside  their  imme¬ 
diate  areas  of  responsibility. 
CA’s  training  aims  to  remove 
the  fear  of  these  changes  by 


showing  how  good  processes 
work  together  to  solve  prob¬ 
lems,  says  David  Yachnin, 
director  of  CA’s  Federal  Tech¬ 
nology  Office  and  a  leader  of 
the  course. 

Phil  Bertolini,  CIO  for  Oak¬ 
land  County,  Mich.,  took  the 
class  earlier  this  year  as  he  and 
his  staff  prepared  to  transform 
five  help  desks  into  one  central¬ 
ized  service  desk,  using  ITIL. 

The  class  improved 
his  planning,  he  says.  For 
example,  he  played  “Capsule 
Communicator,”  the  person 
who  must  get  data  to  the 
team  to  solve  problems— a 
role  analogous  to  an  IT  help 
desk  manager.  When  he  and 


his  team  failed  to  save  the 
astronauts  in  the  first  half 
of  the  game,  Bertolini  says 
he  got  a  deeper  realization 
of  how  hard  it  is  to  be  a  help 
desk  manager,  and  of  how 
intricate  a  good  knowledge 
base  must  be.  Plus  his  11 
staff  members  participating 
saw  that  he  understood  their 
challenges,  Bertolini  says. 

About  90  percent  of  teams 
save  the  astronauts,  Yachnin 
says.  The  take-home  lesson: 
Don’t  make  processes  have 
so  many  steps  that  they  kill 
someone.  For  more  on  imple¬ 
menting  change,  see  “The  New 
Science  of  Change,”  Page  54. 

-Laurianne  McLaughlin 


!  i 


;■ 


1 


Pokerbot:  It  Knows  When  to  Hold  Them 


ARTIFICIAL  INTELLIGENCE 

A  poker-playing  robot  may  help  find  the 
answers  to  some  of  the  most  intractable 
challenges  in  the  business  world,  such 
as  optimizing  e-commerce  and  auction 
applications. 

Programmers  have  historically  tried  to 
teach  computers  to  play  chess,  setting  up 
the  iconic  1996  match  between  IBM's  Deep 
Blue  computer  and  human  champion  Gary 
Kasparov.  But  poker  provides  a  better  test 
of  artificial  intelligence  (Al),  says  Tuomas 
Sandholm,  a  professor  at  Carnegie  Mellon 
University;  While  chess  players  can  see  all 
the  game  pieces,  poker  players  face  many 
hidden  details,  like  what  cards  the  oppo¬ 


nent  has  been  dealt. 

Sandholm  specializes  in  the  correla¬ 
tion  between  strategic  behavior  and  com¬ 
putational  complexity,  and  runs  his  own 
company,  CombineNet,  which  develops 
algorithms  to  optimize  procurement  for 
companies  like  H.J.  Heinz. 

He  put  his  latest  technology  to  the  test 
in  July  when  he  brought  his  poker-playing 
robot,  called  GS2,  to  compete  in  a  Boston 
tournament  sponsored  by  the  American 
Association  for  Artificial  Intelligence. 
What’s  the  greatest  strength  of  GS2's 
technology?  About  26  million  possibilities 
exist  for  poker  hands  in  the  second  round 
of  a  Texas  Hold  ’Em  game— too  many  for 


a  computer 
to  analyze: 

GS2  uses  an 
algorithm  that 
reduces  the 

number  of  possibilities,  to  consider  just 
2,465  strategically  similar  hands. 

GS2  has  not  beaten  a  top  human  player 
yet,  but  Sandholm  continues  to  refine. 

"The  research  problem  is  how  to  come 
up  automatically  with  better  and  better 
strategies,”  Sandholm  says.  "The  compu¬ 
tational  and  combinatorial  complexity  of 
solving  the  game  makes  this  enormously 
challenging." 

-Ben  Ames 


28  SEPTEMBER  15,  2006  |  www.cio.com 


PHOTO  COURTESY  OF  NASA:  ILLUSTRATION  BY  ISTOCKPHOTO.COM 


Introducing  Intel®  vPro™  technology. 

Greater  control  built  in  to  your  desktop  fleet. 

Inter  vPro"’  technology  is  more  than  just  a  new  processor.  It's  an  integrated  set  of  new  technologies  designed 
to  work  together.  Your  ability  to  manage  your  entire  enterprise  is  built  in.  So  is  your  ability  to  remotely  heal  PCs 
even  when  powered  down.  Built  around  the  extraordinary  performance  of  the  new  Intel"  Core’"2  Duo 
processor,  Intel  vPro  technology  adds  functionality  to  leading  network  management  software.  To  download 
the  Intel  vPro  technology  whitepaper,  go  to  intel.com/vpro. 

>?00,6  lnlr-1 1  Iiip'jtalinn.  Intel  i|y>  li itel  logo,  litlt-l  vl  V.,  Inli.-I  Com,  !i,IH  I  f  .ip  .iIuckI,  ;,u;l  tl..  It*li:i.  i  ■  i|j iSd  hr,',  III  ),  i.-il  li.Kln 

Iptf  i  .Ctn  poratjon  ot  its  '.ub'-.iiirdrif-<>  In  thJ?  UniTerJ  "Sl^fr-SriFid  citht'f 


Leap  ahead 


GET  A  JUMP  ON  SECURITY  THREATS 


Introducing  Intel®  vPro™  technology. 


Greater  security  built  in  to  your  desktop  fleet. 

Intel'0  vPro’"  technology  is  more  than  just  a  new  processor.  It's  an  integrated  set  of  new  technologies 
designed  to  work  together.  Your  ability  to  manage  your  entire  enterprise  is  built  in.  So  is  your  ability 
to  remotely  heal  PCs  even  when  powered  down.  Built  around  the  extraordinary  performance  of  the 
new  Intel*  Core’"2  Duo  processor,  Intel  vPro  technology  adds  functionality  to  leading  network  security 
software.  To  download  the  Intel  vPro  technology  whitepaper,  go  to  intel.com/vpro. 


©200b  Intel  Corporation.  Intel,  the  Intel  logo,  Intel  vPro,  Intel  Lore.  Intel.  Leap  ahead,  and  the  Intel  leap  ahead,  logo  are  trademarks  01  registered  ttadefflail 
Intel  Corporation  or  its  subsidiar ies  in  the  United  States  and  other  countfies.  All  rights  reserved. 


,  *  -  V 

1.  ! 

m 

** 

I  i  l  i  I  I 

rT|T 

f 

n  I  f  i  i'.  I. 

?T  |  '%  i  i 

I  t  l  ' 

1  !  I  i 

1  1 

1 

1  1  •  1 

i  1 

TRENDLINES 


Are  U.S.  CIOs  TOO  Afraid 

of  New  Technology? 


innovation  Chinese 
and  European  companies 
are  driving  higher  produc¬ 
tivity  and  earnings  growth 
than  their  U.S.  counterparts 


because  they’re  more  aggres¬ 
sively  deploying  new  technol¬ 
ogies  like  Web  services  that 
automate  business  processes, 
according  to  a  new  survey 
from  Accenture.  American 
companies  are  too  reluctant 
to  invest  in  new  technology, 
Accenture  concludes. 

“U.S.  companies  have  the 
oldest  systems  among  the 
global  community  and  use 
most  of  their  new  invest¬ 
ments  to  fortify  them,”  says 
Bob  Suh,  an  Accenture  man¬ 
aging  director  and  author 
of  the  survey.  ( CIO’s  own 
research  confirms  that  CIOs 
spend  a  disproportionate 
amount  on  legacy  systems.) 
“Maintaining  legacy  systems 


is  a  vicious  cycle  that  con¬ 
sumes  ever  more  capital,  time 
and  attention  and  prevents 
American  companies  from 
driving  more  investment  into 
technologies  that  impact  cus¬ 
tomers,”  Suh  says. 

According  to  the  survey 
of  almost  500  IT  executives, 
only  6  percent  of  American 
CIOs  want  to  take  a  leading 
role  in  adopting  new  tech¬ 
nologies,  compared  with  19 
percent  of  Chinese  CIOs.  Sev¬ 
enty  percent  of  Chinese  firms 
are  committing  a  major  part 
of  their  businesses  to  Web 
services,  compared  with  just 
42  percent  of  U.S.  firms. 

Maintaining  legacy  sys¬ 
tems  is  a  bad  strategy  long 


term  when  your  rivals  have 
more  flexibility,  Suh  says. 

But  American  CIOs  aren’t 
taking  Accenture’s  bait. 
Because  they’ve  oversold 
the  business  benefits  of 
everything  from  ERP  to  out¬ 
sourcing,  many  remain  loath 
to  begin  trumpeting  new 
technology.  “The  last  thing  I 
want  to  do  is  sell  new  tech¬ 
nologies  to  my  board,”  says 
Mike  Anderson,  VP  and  CIO 
of  beauty  products  manufac¬ 
turer  Cosmetic  Essence. 

They’re  also  not  con¬ 
vinced  that  newer  is  nec¬ 
essarily  better.  “We  can 
develop  very  innovative 
solutions  to  challenges  we 
face  in  the  business  by  find¬ 
ing  ways  to  integrate  and 
reuse  databases  and  systems 
we’ve  developed  in  the  past,” 
says  Mark  Settle,  CIO  of 
Arrow  Electronics. 

- Meridith  Levinson 


Smart  Lessons  from 
the  Mavericks 

32  free-thinking  companies  share  secrets 
on  problem-solving,  recruitingand  more 


«ss 


Companies  content  to  be  just  a  little  better 
than  the  competition  may  fade  into  medi¬ 
ocrity.  That’s  the  warning  from  William  C. 
Taylor  and  Polly  LaBarre  in  their  new  book, 
Mavericks  at  Work.  Companies  defining 
not  only  best  practices  but  also  a  set  of 
next  practices  will  be  the  ones  that  shine  in 
an  overcrowded,  ultracompetitive  market¬ 
place.  say  the  authors  (both  original  mem¬ 
bers  of  Fast  Company's  editorial  team). 

After  spending  nearly  two  years  visit¬ 
ing  32  maverick  firms,  the  authors  have 
lessons  to  share  in  four  key  areas:  rethink¬ 
ing  competition,  reinventing  innovation, 
reconnecting  with  customers  and  rede¬ 
signing  the  workplace.  Despite  differing 


.At 


greatly  in  terms  of  size, 
revenue  and  business 
models,  the  companies 
profiled  share  a  "usual  isn't  good 
enough"  mind-set.  For  example,  these 
mavericks  provide  compelling  reasons 
for  customers  to  choose  them.  One 
maverick  idea  that  CIOs  might  apply  is 
the  concept  of  “open-source  innovation": 
When  you’re  stuck  on  a  business  problem, 
consider  turning  to  the  outside  world  for 
help  instead  of  trying  to  force  a  solution 
internally.  The  authors  present  the  case 
study  of  mining  company  Goldcorp,  which 
shared  proprietary  data  in  a  Web-based 
contest  seeking  solutions  on  where  to  drill 


[Mavericks  at  Work:  Why  the  Most 
Original  Minds  in  Business  Win 

By  William  C.  Taylor  and  Polly  LaBarre 
HarperCollins,  2006,  $26.95 

for  gold,  with  great  success. 

Also  informative  for  CIOs:  Mavericks 
buck  traditional  ideas  regarding  hiring 
and  recruiting.  They  hire  with  the  notion 
that  character  outweighs  credentials.  And 
they  don't  wait  for  good  people  to  contact 
them.  They  look  for  those  who  fit,  and  con¬ 
sider  it  a  bonus  to  recruit  them  from  rivals. 

Ultimately,  Mavericks  at  Work  poses 
a  challenge:  Is  status  quo  good  enough 
for  your  company,  or  will  you  find  a  way 
to  be  at  the  forefront  of  business  leader¬ 
ship?  CIOs  charged  with  driving  new 
lines  of  revenue  could  find  insight  in  this 
book— and  value  in  answering  the  key 
questions  it  presents.  -Cathy  Mallen 


32  SEPTEMBER  15,  2006  |  www.cio.com 


PHOTO  BY  GETTY  IMAGES 


mm?, 


Sfip 


~  V*  l 

nH  mmM 


**  ^  ■-?.****& 


'Jerez*.  <*•  -- 


End-to-end  enterprise  reliability. 

Fujitsu  PRIMEQUEST  "  Servers.  Proven  reliability  to  span  your  enterprise  needs 


Fujitsu  PRIMEQUEST  servers  reflect  our  vast  mainframe  experience  as  well  as  our  deep  commitment  to  reliability. 
With  up  to  32  Intel®  Itanium®  2  Processors  each,  these  powerful,  enterprise-class  servers  bridge  the  gap  between 
the  Microsoft®  Windows®  and  Linux®  applications  you  depend  on  and  the  mainframe-class  scalability,  performance, 
and  reliability  you  need.  Go  to  us.fujitsu.com/computers/reliability2  for  more  information. 


SYSTEM  MIRROR  fault-immunity  transparently 
guards  against  hardware  errors 


FUJITSU 


LOWER  TOO  with  integrated  facilities 
that  simplify  administrative  tasks 


Itanium  2 

inside 


THE  POSSIBILITIES  ARE 


INFINITE 


©  2006  Fujitsu  Computer  Systems  Corjaoration  Ail  rights  reserved.  Fujitsu,  the  Fujitsu  logo  and  PRIMEQUEST  are  trademarks  or  registered  trademarks  of  Fujitsu  United  in  the  United  States  and  other  countries.  Intei,  Intel  Logo.  Intel  inside,  Intel 
Inside  Logo,  Itanium,  and  Itanium  Inside  are  trademarks  or  registered  trademarks  of  Intei  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  registered  trademarks  or  trademarks  of  Microsoft  Corp. 
m  the  United  States  and/oi  other  countries.  Linux  is  the  registered  trademark  of  Unus  Tcrvalds  in  the  U.S.  and  other  countries.  All  other  trademarks  mentioned  herein  are  the  properly  of  their  respective  owners. 


TRENDLINES 


Server  Virtualization: 

The  Real  Savings 

Gauge  ROI  comprehensively  to  avoid  flawed  technology  plans 

Server  virtualization  has  hit  its  heyday:  76  percent  of  companies  across  a  wide 
range  of  industries  have  already  deployed  server  virtualization  in  the  data  center  or 
plan  to  do  so,  according  to  a  recent  survey  of  700  firms  by  the  Yankee  Group.  Only 
4  percent  indicated  they  have  no  plans  for  virtualization.  One  goal  is  clear:  Save  big. 
But  many  businesses  fail  to  calculate  virtualization’s  real  cost  savings— and  this  can 
lead  to  poor  planning  for  future  hardware,  software  and  service  purchases. 

The  benefits  of  server  virtualization  (enabling  a  single  server  to  function  as  multiple 
servers)  are  now  well  understood.  Survey  respondents  praised  the  technology's  ability 
to  reduce  data  center  space  requirements,  slash  staffing  and  power  costs,  and  save  the 
day  at  times  of  natural  disaster  or  hardware  trouble.  Fifty  percent  of  companies  that 
have  deployed  virtualization  believe  the  technology  has  yielded  direct  cost  savings. 

Yet  among  this  group  that  has  seen  savings,  28  percent  had  not  even  attempted 
to  measure  those  savings,  and  25  percent  were  unsure  of  how  to  begin.  Among  this 
group,  26  percent  indicated  they  saw  immediate  gains. 

But  a  whopping  39  percent  overall  were  unsure  how  long  it  took  to  see  virtualiza¬ 
tion's  ROI. 

Surprisingly,  many  businesses  fail  to  gather  crucial  information  needed  to  calculate 
the  total  cost  of  ownership  (ICO)  of  server  virtualization,  says  Yankee  Group  Research 
Fellow  Laura  DiDio,  who  authored  the  study.  Why?  The  majority  of  companies  have  no 
processes  in  place  to  perform  in-depth  data  collection  surrounding  virtualization  TCO, 
she  says.  And  many  companies,  DiDio  says,  are  simply  unsure  of  how  to  measure  it. 

Companies  must  look  beyond  the  costs  of  servers,  storage  and  network  infrastruc¬ 
ture,  she  says:  Too  many  IT  organizations  fail  to  measure  how  virtualization  changes 
spending  on  security  technology,  staffing,  training,  application  development,  testing, 
consulting  needs  and  support  contracts. 


Companies  Still  Don’t  Understand  the  Math 


CO 

a> 

o 

■  ■■■ 

“o 

CO 


Think  beyond  hardware  and 
energy  costs.  To  figure  virtualiza¬ 
tion’s  TCO,  measure  ail  the  related 
costs— such  as  training,  consulting 
needs  and  security  improvements. 
Otherwise,  you  could  see  low  ROI 
and  botch  your  three-  to  five-year 
technology  planning. 


CO 

m 

00 


Review  licensing  contracts. 

Some  of  your  software  license  costs 
could  soar  due  to  multicore  proces¬ 
sors.  Basing  pricing  on  a  per-product 
rather  than  per-processingcore 
basis  may  be  the  safest  bet,  as  the 
number  of  processing  cores  in  your 
servers  will  only  go  up  in  the  next  few 
years,  Yankee  Group  Research  Fellow 
Laura  DiDio  says. 


Consider  premium  support 

services,  if  you  have  more  than 
1,000  users  and  multiple  remote 
locations,  and  if  you  lack  skilled 
administrators.  Support  from  firms 
like  Avaya,  EDS,  Hewlett-Packard 
and  IBM  can  add  about  20  percent 
to  the  TCO  but  can  prevent  costly 
mistakes  in  tasks  from  configuration 
to  maintenance,  DiDio  says. 


Time  to  Realize  ROI 


39% 

were  unsure 

of  how  much  time  it 
took  to  realize  ROI  on 
server  virtualization 


26%  Immediately 


to  3  months 


7%  3  to  6  months 

8%  6  to  12  months 
2%  More  than  1  year 
9%  No  perceptible  ROI 


What  They  Saved* 


had  not  yet 

attempted  to  calculate 
TCO  savings 


25% 

were  unsure 

of  their  estimated 
TCO  savings 


"Among  companies  that  reported  direct  cost 
savings  after  virtualization  deployment 


34 


SEPTEMBER  15,  2006  |  www.cio.com 


DIFFERENT  COUNTRIES.  DIFFERENT  COMPANIES. 


O 


kS  Sc 


SSCP 


^oRM4V 
,.o  * 


A 

«4 


a: 


O' 

*o. 


A 

</> 


«  \ 

P  R  A  c 


CISSP* 


<>  .o 

V  PROft^ 


ONE  COMMON  LANGUAGE 


ISO/IEC  17024 


ISO/IEC  17024 


SSCP  from  (ISC)2.  Credentialing  the  world’s  most  qualified  Information  Security  workforce. 

Businesses  worldwide  share  a  common  priority:  ensuring  their  information  security  policy  is  the  best.  Now  they  can 
share  the  same  language.  (ISC)2  has  credentialed  tens  of  thousands  of  the  world’s  most  qualified  information  security 
professionals,  in  over  100  countries  around  the  globe.  Equipped  with  an  SSCP  credential  from  (ISC)2,  your  information 
security  workforce  speaks  a  common  language.  Shares  common  platform  knowledge.  And  understands  how  best 
to  implement,  monitor  and  secure  your  information  security  organization.  Which  translates  into  a  more  secure 
business.  Speak  to  (ISC)2  today. 


©  Copyright, 


>006 


(ISC) 


JRITY  TRANSCENDS  TECHNOLOGY 


FOR  MORE  INFORMATION,  CALL  1.866.462.4777  OR  VISIT  www.ISC2.ORG/security 


INTERNATIONAL  INFORMATION  SYSTEMS  SECURITY  CERTIFICATION  CONSORTIUM,  INC 

■  '•  -V.  '■  .  >'<7 V.: 


W-  \  .  V 


WjUji!  iim 
mllliillfllUi 

niisjliimill 


\\\w 


your 

network. 


Whether  your  network  extends  across  the  country 
or  around  the  globe,  you  can  rely  on 
Verizon  Business  to  help  you  design  and  manage  it  more 
efficiently.  With  the  power  of  our  far-reaching 
global  IP  network,  our  experts  can  create  integrated 
network  solutions  and  help  you  manage  them. 

verizonbusiness.com 


managed. 

optimized. 


©2006  Verizon.  All  Rights  Reserved. 


VGn70nbusiness 


ESSENTIAL 


FROM  INCEPTION  TO  IMPLEMENTATION  — I.T.  THAT  MATTERS 


Retailers,  not 
manufacturers, 
have  been  reap¬ 
ing  the  benefits  of 
RFID.  Here’s  what 
needs  to  change. 


RFID  Decision  Time 


BY  THOMAS  WAILGUM 

SUPPLY  CHAIN  |  Say  what  you  will  about  Wal-Mart  (and  people  say  a  lot),  but  since 
announcing  its  intent  to  transform  the  retail  supply  chain  by  using  radio  frequency  identi¬ 
fication  (RFID)  technology  and  demanding  that  its  suppliers  do  the  same,  the  company  has 
been  passionately  committed  to  the  technology’s  evolution.  Wal-Mart’s  June  2003  RFID 
mandate— which  demanded  that  during  the  next  several  years  its  suppliers  would  have  to 
start  shipping  their  products  to  Wal-Mart  distribution  centers  with  RFID  tags  affixed  to 
cases  and  pallets  (see  “Tag,  You’re  Late,”  www.cio.com/111504)— has  not  only  jump-started 
the  RFID  industry,  but  it  has  provided  a  snapshot  of  what’s  to  come.  Wal-Mart’s  ultimate 
vision  is  a  seamless,  real-time  retail  supply  chain  with  fewer  out-of-stocks,  better  promo¬ 
tion  management,  and  invaluable  logistics  and  data  analysis.  Even  a  high-level  shake-up 
in  April  of  this  year  (Rollin  Ford,  once  head  of  logistics  and  supply  chain,  replaced  Linda 
Dillman  as  CIO)  has  done  nothing  to  slow  the  retail  giant’s  RFID  express. 

As  of  this  summer,  Wal-Mart  claims  it  has  reaped  many  benefits  in  pilot  stores  track¬ 
ing  RFID  tags  with  electronic  product  code  (EPC)  data.  According  to  Wal-Mart,  manu¬ 
ally  placed  orders  have  declined  10  percent,  reducing  excess  inventory  and  unnecessary 
replenishment  orders  from  suppliers.  Wal-Mart  claims  that  the  new  system  has  ensured 
that  suppliers’  promotional  displays  are  delivered  on  time  and  that  products  are  ready 


ILLUSTRATION  BY  JO  TYLER 


www.cio.com  |  SEPTEMBER  15,  2006  37 


essent  i  al  technology 


for  sale  when  promotions  begin,  and 
Wal-Mart  workers  have  been  able  to 
move  product  from  back  rooms  onto  store 
shelves  three  times  faster  than  before. 

For  Wal-Mart’s  suppliers,  metrics  like 
these  have  opened  a  window  on  the  supply 
chain  future.  But  many  suppliers  have,  in 
fact,  done  little  more  with  RFID  than  slap 
the  tags  on  their  cases  and  pallets,  receiv¬ 
ing  little  or  no  useful  data  in  return.  Over 
the  past  two  years,  a  number  of  suppliers 
have  tried  to  minimize  the  cost  of  comply¬ 
ing  with  Wal-Mart’s  demands  by  invest¬ 
ing  as  little  as  possible  in  RFID,  pointing 
to  uncertainties  around  standards,  read¬ 
ers  and  tags,  says  John  Fontanella,  former 
senior  VP  of  retail  and  edge  research  at 


Aberdeen  Group.  And  those  suppliers 
that  are  able  to  pull  the  EPC  data  feeds 
(which  often  contain  information  on  case 
and  pallet  movements)  from  Wal-Mart’s 
Retail  Link  EDI  exchange  haven’t  yet 
devised  a  way  to  connect  that  information 
to  their  back-end  systems. 

To  fix  that  disconnect  requires  money 
that,  so  far,  has  not  been  earned  through 
the  deployment  of  the  technology.  Add  to 
that  a  dearth  of  RFID  expertise  (accord¬ 
ing  to  a  recent  Computing  Technology 
Industry  Association  survey  of  high-tech 
companies,  75  percent  said  the  RFID 
technology  talent  pool  is  insufficient  to 
their  needs)  and  it’s  not  surprising  that 
in  a  2006  Forrester  Research  survey 
of  retailers  and  manufacturers  just  24 
percent  said  they  have  identified  RFID’s 
business  value.  Michael  Liard,  director 
of  RFID  and  contactless  at  ABI  Research, 
sums  up  the  typical  supplier  complaint 
this  way:  “We’ve  complied,  but  now  what? 


We’ve  got  all  this  data,  but  we  don’t  know 
what  to  do  with  it.” 

Suppliers  are  now  at  a  crossroad.  “The 
possibilities  [for  RFID]  are  endless,”  says 
Fontanella,  “but  companies  have  to  take 
the  next  step”  to  get  any  value  from  their 
investment. 

The  RFID  Paradox,  or  the 
Suppliers’  Dilemma 

According  to  several  surveys,  suppli¬ 
ers  are  conflicted.  More  than  50  percent 
of  250  executives  surveyed  by  Aberdeen 
Group  said  the  inability  to  show  a  value 
proposition  for  RFID  was  the  single  most 
difficult  obstacle  in  gaining  support  for  fur¬ 
ther  adoption.  The  survey  also  found  that 


60  percent  of  respondents  claimed  RFID 
holds  great  potential  value  for  their  compa¬ 
nies,  and  two-thirds  said  RFID  would  help 
them  create  significant  competitive  differ¬ 
entiation  in  their  business  processes. 

“The  data  is  still  exploratory  for  us,” 
says  Chris  Parker,  manager  of  IT  infra¬ 
structure  and  strategic  planning  at  the 
Texas  Instruments’  Educational  &  Pro¬ 
ductivity  Solutions  (E&PS)  division, 
which  makes  calculators  and  is  a  midlevel 
(tier  two)  Wal-Mart  supplier.  So  far,  the 
RFID  tagging  of  12  of  its  products,  begun 
in  December  2005,  has  yet  to  deliver  any 
big  change  in  Texas  Instruments’  supply 
chain  processes  or  planning.  “Right  now 
we’re  just  testing  the  waters,”  says  Parker. 

“We  know  we  want  to  do  something 
with  [the  data],”  says  Terry  Bargy,  VP 
and  CIO  of  Thomasville  Furniture,  which 
makes  both  furniture-in-a-box  products 
as  well  as  more  upscale  lines  and  is  also  a 
tier-two  Wal-Mart  supplier.  “[But]  it  still 


What  Else 
Can  We  Do 
with  RFIDs? 

A  June  Aberdeen  Group  survey  found 
that  nearly  70  percent  of  respond¬ 
ing  companies  were  adopting  RFID 
because  of  retailer  demands.  But 
that  doesn’t  mean  companies  aren’t 
looking  for  other  ways  to  use  RFID. 
Security  and  asset  management,  for 
example,  were  among  other  drivers 
cited  in  Aberdeen’s  survey,  titled  "The 
RFID  Benchmark  Report.” 

At  Texas  Instruments’  Educational 
&  Productivity  Solutions  division, 
which  makes  calculators,  the  RFID 
team  is  currently  looking  into  areas 
where  the  technology  could  improve 
business  processes.  One  area  is 
preventing  loss  by  tagging  employee 
laptops  and  mobile  devices  as  well 
as  backup  tapes  (which  currently  rely 
on  bar  codes).  Another  initiative  is 
tracking  the  preproduction  calcula¬ 
tors  loaned  to  schools  for  student  and 
teacher  evaluation  to  make  sure  they 
are  returned. 

Chris  Parker,  a  Texas  Instruments 
infrastructure  manager  in  charge 
of  RFID,  says  that  with  item-level 
RFID  tagging,  the  improvement  in 
the  now-manual  process  of  receiv¬ 
ing  a  returned,  defective  calculator, 
figuring  out  when  and  where  it  was 
built  and  determining  which  of  Texas 
Instruments’  many  suppliers’  parts 
contributed  to  the  defect,  would  bring 
unprecedented  transparency  and  effi¬ 
ciency  to  the  company’s  operations. 

While  Parker  admits  that  you  can 
get  “carried  away’’  thinking  about 
RFID’s  possibilities,  he  says  he  won’t 
“try  to  force  any  of  that  without  a 
clear  direction  from  the  business.” 

-T.W. 


“We  know  we  want  to  do  something 
with  the  electronic  product 
code  data.  But  it’s  still  something 
we  don't  have  our  arms  around. 

-Terry  Bargy,  CIO,  Thomasville  Furniture 


38  SEPTEMBER  15,  2006  |  www.cio.com 


INNOVATIONS  IN 


- - 

Florida  Guardian  ad  Litem  Saw  the  Future  of  Child  Advocacy. 

Citrix  Provided  Access. 


“Custody  rulings.  Foster  care.  Adoptions.  Our  founding  vision  was  to  give  every  abused 
and  neglected  child  in  Florida  a  strong  advocate  in  court.  Two  years  later,  we’re  well  on 
our  way.  Today,  program  staff,  attorneys  and  over  5,000  volunteers  represent  more 
than  27,000  children.  Instead  of  information  in  file  drawers  scattered  all  over  the  state, 
Citrix  software  gives  advocates  secure  access  to  our  case  management  system  from 
anywhere.  Resources  are  precious,  so  we  must  apply  them  wisely,  not  waste  time 
chasing  data.  These  kids  depend  on  us.  That’s  why  we’re  depending  on  Citrix  to  take 
us  the  rest  of  the  way  to  advocate  for  every  Florida  child  in  need.  ” 


JOHNNY  C.  WHITE 
CIO 

Florida  Guardian  ad  Litem  Program 


Access  your  future  today  at 
citrix.com. 


©2006  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix®  is  a  trademark  of  Citrix  Systems,  Inc. 
and/or  one  or  more  of  its  subsidiaries,  and  may  be  registered  in  the  United  States  Patent 
and  Trademark  Office  and  in  other  countries.  All  other  trademarks  and  registered 
trademarks  are  the  property  of  their  respective  owners. 


CITRIX 


essenti  al  technology 


seems  to  be  something  that  we  don’t  have 
our  arms  around.” 

Like  hundreds  of  other  Wal-Mart  suppli¬ 
ers,  Texas  Instruments’  E&PS  group  and 
Thomasville  see  RFID’s  potential  to  trans¬ 
form  their  demand  planning  processes, 
analysis  and  warehouse  management.  “Our 
thought  is,  How  can  we  leverage  these  [EPC 
serial]  numbers,  using  some  sort  of  data 
warehouse  and  drill  into  the  numbers?” 
Bargy  says. 

But  that  seems  a  distant  goal.  TI’s  E&PS 
group,  for  example,  can  access  the  EPC 
data  for  those  12  tagged  products  through 
Wal-Mart’s  Retail  Link  system.  But  the 
EPC  data  E&PS  can  access  is  case-and- 
pallet-level  information— not  item  (or  prod¬ 
uct)  specific,  which  experts  agree  is  where 
the  most  benefit  for  suppliers  will  come 
from.  “Folks  that  are  on  the  receiving  end 
of  all  the  benefits  of  the  data  [right  now]  are 
the  people  handing  out  those  mandates,” 
says  ABI’s  Liard. 

The  ROlof  Data 

For  all  that  manufacturers  and  retail¬ 
ers  know  about  their  supply  chains  in 
2006,  there  are  still  a  few  black  holes  that 
RFID-derived  data  can  fill— for  example, 
chargebacks.  It’s  not  unusual  for  retail¬ 
ers  to  claim  that  they  received  a  different 
quantity  of  goods  from  a  manufacturer 
(say,  90  cases  on  a  pallet)  than  what  the 


that  consumer  product  companies  have 
entire  departments  that  do  nothing  but 
track  where  the  goods  could  have  gone 
and  look  over  invoices  and  receipts  to 
fix  discrepancies.  But  because  RFID  tags 
have  serialized  numbering  of  the  EPC 
data  on  each  case,  “there  is  verification  of 
when  these  things  come  in,  and  the  money 
they  spent  just  disputing  these  things  goes 
away,”  Sweeney  says,  adding  that  some  of 
ODIN’s  clients  are  doing  this  right  now. 

Another  area  where  manufacturers  are 
eager  to  leverage  EPC  data  is  promotional 
effectiveness— meaning,  in  Texas  Instru¬ 
ments’  case,  Did  the  special  back-to-school 
displays  of  its  calculators  go  out  onto  the 
shopping  floor  when  they  were  supposed 
to?  Was  the  display  well-stocked  during  the 
back-to-school  promotion  or  did  stock  run 
out?  Did  the  display  stay  on  the  floor  for  as 
long  as  TI  wanted  (and  paid  for)  it  to? 

Right  now,  the  company  pays  people  to 
go  into  stores  and  answer  these  questions. 
But  that’s  costly.  “We’re  hoping  RFID  will 
give  us  insights  into  all  that,”  says  TI’s 
RFID  Program  Manager  Tom  Shields. 

A  typical  manufacturer  will  spend  12 
percent  to  15  percent  of  the  company’s 
annual  sales  revenue  on  promotions,  and 
the  industry  average  for  effectiveness  of 
a  promotion  is  56  percent— a  coin  toss, 
says  Greg  Aimi,  director  of  supply  chain 
research  with  AMR  Research.  “Right  now, 


The  danger  for  manufacturers  with 
their  slap-and-ship  deployments 
isthat  RFID  implementations  will 
become  “islands  of  technology  and 
information,’’ as  Aberdeen  Group’s 
Fontanel  la  poetically  suggests. 


manufacturer  believes  it  shipped  (say, 
100  cases).  Retailers  don’t  pay  for  cases 
they  claim  they  never  received.  That’s  a 
chargeback.  Patrick  Sweeney,  president 
and  CEO  of  ODIN  Technologies,  an  RFID 
integration  and  software  company,  says 


a  lot  of  [promotion  planning]  is  guess¬ 
work,”  Aimi  says.  “There’s  a  high  degree 
of  latency  and  delay.” 

During  one  of  its  RFID  pilots,  Gillette 
used  RFID-retrieved  EPC  data  to  discover 
that  33  percent  of  stores  it  supplied  failed 


What  about 
China?  The 
country  that 
produces 
70%  of  the 
products  on 
Wal-Mart’s 
shelves  has 
not  to  date 
played  a 
significant 
role  i  n 

defining  EPC 
standards. 


SOURCE:  "The  Evolution  of  RFID  Networks.' 
MIT's  Center  for  eBusiness  Working  Paper 
#224 


to  move  its  Venus  razor  displays  from  the 
back  room  to  the  floors  when  the  compa¬ 
ny’s  Venus  promotion  started.  Stores  that 
got  the  displays  onto  the  floors  on  time 
sold  19  percent  more  razors  than  stores 
that  didn’t.  According  to  Gillette’s  analy¬ 
sis,  a  19  percent  sales  increase  in  one-third 
of  the  retailer’s  stores  would  represent  an 
overall  sales  improvement  of  6.3  percent 
for  any  given  promotion.  And  that’s  a  lot 
of  razors. 

Process  Changes  and  IT 
Strategies 

Perhaps  the  most  challenging  part  of  get¬ 
ting  an  ROI  from  RFID  for  manufactur¬ 
ers  will  be  integrating  the  new  EPC  data 
flows  with  their  company’s  legacy  and 
proprietary  systems— such  as  supply 
chain  and  logistics  applications  and  ERP 


40  SEPTEMBER  15,  2006  |  www.cio.com 


essential  technology 


packages— and  retooling  warehouse  and 
shipping  processes  to  be  more  in  line  with 
RFID’s  real-time  demands. 

The  danger  for  manufacturers  with 
their  slap-and-ship  deployments— which 
usually  have  no  clear  integration  plans 
or  actionable  data  analysis,  and  drag 
on  warehouse  efficiencies  because  slap 
and  ship  takes  extra  work— is  that  RFID 
implementations  will  become  “islands  of 
technology  and  information,”  as  Aberdeen 
Group’s  Fontanella  poetically  suggests.  In 
that  scenario,  RFID  becomes  yet  another 
addition  to  the  unintegrated  tangle  of  sys¬ 
tems  inside  many  of  today’s  enterprises. 

For  RFID  data  to  join  the  mainland, 
companies  are  going  to  have  to  include 
RFID  in  their  future  enterprise  architec¬ 
ture  plans  and  answer  these  questions: 
Will  our  integration  strategy  employ 
middleware  packages  or  service-oriented 


architecture?  What  other  systems,  such  as 
business  analytics  applications  and  data 
warehouses,  will  the  RFID  data  flow  into? 
How  will  the  company  retrieve,  store  and 
cleanse  the  data?  And  how  will  the  man¬ 
ufacturer’s  systems  exchange  data  with 
its  suppliers’  systems?  Via  spreadsheets, 
EDI,  XML  or  the  Web? 

Right  now,  there  are  a  lot  more  questions 
than  answers.  CIOs  and  analysts  agree  that 
one  way  to  start  dealing  with  these  issues 
is  to  create  cross-functional  teams  that  can 


RFIDs  and  You 


How  competitive  are  you  when  it  comes 
to  RFIDs?  For  an  overview  of  the  RFID  indus¬ 
try  as  well  as  advice  to  help  you  ramp  up 
your  RFID  initiatives,  link  to  Aberdeen 
Group’s  "The  RFID  Benchmark  Report”  at 
www.cio. com/091506. 

cio.com 


better  manage  the  organizational  changes 
that  RFID  necessitates.  At  TI’s  E&PS  divi¬ 
sion,  execs  from  IT,  supply  chain  opera¬ 
tions,  marketing,  finance  and  sales  formed 
such  a  team  in  late  2004  and  meet  at  least 
every  three  weeks  to  talk  about  RFID  busi¬ 
ness  demands,  data  analysis  plans  and 
integration  strategies,  to  name  but  a  few 
issues.  For  now,  Texas  Instruments,  like 
many  other  companies,  will  proceed  cau¬ 
tiously  with  its  RFID  plans,  mulling  over 
future  uncertainties  while  focusing  on  the 
things  it  can  control. 

“We’re  creative  enough  to  envision  a  lot 
of  lift  with  the  technology,”  says  Shields, 
“but  we’re  grounded  enough  to  know  that 
there’s  a  big  financial  investment  to  get  to 
some  of  these  applications.”  BE] 


Senior  Writer  Thomas  Wailgum  can  be  reached 
at  twailgum@cio.com. 


Your  potential.  Our  passion.' 

Microsoft  • 


Invest  in 

your  people 
and  success 

will  follow. 

/  JB 

Li 

When  a  major  manufacturer  expanded  its  operations  to 
China,  its  IT  solution  facilitated  communications.  Now, 
employees  make  timely  orders  with  global  vendors.  People 
share  information  instead  of  searching  for  it.  And  distant 
offices  feel  like  next-door  neighbors. 

The  net  result  is  a  faster  decision-making  process  that 
saves  the  company  up  to  $400,000  annually.  When  you 
give  your  people  the  right  tools,  success  is  inevitable. 

See  the  full  details  of  this  case  study  at 
microsoft.com/expansion 


©  2006  Microsoft  Corporation.  All  rights  reserved.  Microsoft  and  "Your  potential.  Our  passion.*  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries. 


Mike  Hugos  TOTAL  LEADERSHIP 


The  Road 
Less  Traveled 

It’s  a  sign  of  good  IT  leadership  when  a  CIO  takes  a  different  path  from  his  competitors 


At  times,  a  leader  must  be  a  bit  of  a  contrarian.  A 
confident,  knowledgeable  CIO  sees  past  strong 
prevailing  opinions  in  IT  circles  to  identify  other 
ways  her  company  can  use  technology— or  not 
use  it— to  stand  out  from  the  crowd.  It’s  the  CIO’s  job  to  find 
new  ways  to  use  IT  to  advance  the  fortunes  of  her  organization. 
But  this  obligation  can  also  put  you  on  the  horns  of  a  dilemma. 
You  may  find  that  both  your  business  colleagues  and  your  own 
IT  staff  are  reluctant  to  reject  the  wisdom  of  the  crowd.  Things 
are  complicated  enough,  they  say;  why  make  it  worse  by  doing 
something  different? 

Yet  sometimes  trying  something  different  is  exactly  what 
needs  to  be  done.  These  days,  the  fast  pace  of  change  causes 
many  tried-and-true  ideas  to  lose  their  effectiveness.  CIOs 
don’t  necessarily  have  to  blaze  new  paths  on  their  own,  but 
they  do  need  to  keep  a  sharp  watch  for  companies  that  succeed 
with  new  approaches  to  technology.  Leadership  means  being 
quick  to  recognize  a  good  idea— wherever  it  comes  from— and 
being  quick  to  act  on  it.  The  ability  to  try  new  approaches  and 
capitalize  on  emerging  opportunities  is  a  vital  part  of  succeed¬ 
ing  as  a  CIO. 

Get  Away  from  the  Crowd 

Consider,  for  example,  the  popular  notion  that  consolidating  a 
company’s  operations  to  run  on  an  all-inclusive  ERP  system  is 
the  best  way  to  be  efficient  and  profitable.  If  I  am  to  believe  the 
advertisements  I  see  in  airports  from  Chicago  to  Frankfurt,  just 
about  every  company  will  soon  be  running  such  a  system.  The 
contrarian  leader  ought  to  wonder  whether  it’s  wise  for  her 
company  to  follow  the  crowd  and  spend  millions  on  ERP  when 


42  SEPTEMBER  15,  2006  |  www.cio.com 


ILLUSTRATION  BY  MICHELLE  TH0MPS0N/AG00DS0N.C0M 


EMC 

where  information  lives' 


. V* f ■, ArV- V 


i&Mmk 


’  :  /,  ,'.  ‘jL 


m 


When  information 


comes  together, 
everyone  pulls  in 
the  same  direction 


’A-'* 

$4 


:  .•  <  <  i 

, ,  I /  ! 

I.  ■ 


software  provides  the  industry’s  premier  platform  for  capturing,  securing,  managing,  and  accessing  information.  Which  helps 


der  in  content  management  can  help  you  do  the  same,  visitsoftware.EMC.com. 


.  a y  v  kf  ■’  gt  i ' 
•  rr  ■  .MVf4  i 


; 

ilf.  AH  rights  revived. 


ffUsULA  : 


K9  Mike  Hugos  T0TAL  leadership 


there  may  be  other  IT  investments  that  have  bigger  payoffs. 

The  last  company  I  worked  for  had  two  large  competi¬ 
tors.  One  of  their  biggest  challenges  (as  well  as  our  biggest 
challenge)  was  to  integrate  respective  business  units  so  they 
could  collaborate  to  service  our  national  accounts.  We  all  had 
to  face  the  fact  that  our  organizations  were  composed  of  many 
different  units  using  different  ERP  systems  to  run  their  inter¬ 
nal  operations. 

Our  competitors  followed  the  conventional  wisdom.  One 
company  spent  more  than  $150  million  trying  to 
standardize  on  a  single  ERP  system.  The  other 
spent  tens  of  millions  of  dollars  (what  it  cost 
then)  to  build  a  proprietary  Web  order  entry  and 
product  catalog  system— another  popular  idea  at 
the  time. 

Although  the  CEO  and  CFO  backed  my  rec¬ 
ommendation  not  to  invest  more  in  ERP,  there 
was  a  lot  of  pressure  on  me  to  deploy  one  of  those 
proprietary  order  entry  and  catalog  systems.  The  consultants 
who  were  facilitating  our  strategic  planning  process  pushed 
hard  for  us  to  hire  them  to  build  it.  But  I  thought  that  if  we 
followed  their  advice  we  would  spend  most  of  our  money  on 
a  plan  that,  at  best,  would  give  us  only  the  same  capabilities 
our  competition  had.  I  saw  a  different  and  much  less  expen¬ 
sive  way  to  integrate  our  business  units  and  provide  an  online 
ordering  capability.  Taking  this  alternative  path  would  make 
money  available  to  develop  other  systems  that  would  provide 
us  with  capabilities  our  competitors  didn’t  have  and  thereby 
provide  a  competitive  advantage. 

My  contrarian  instincts  were  backed  by  a  deep  understand¬ 
ing  of  my  company’s  business  and  my  knowledge  of  IT.  My 
expertise  gave  me  confidence  in  my  convictions  when  I  pre¬ 
sented  my  ideas  to  the  board  of  directors.  I  showed  them  how 
to  get  what  the  company  needed  faster  and  for  a  lot  less  money 
than  if  we  took  the  conventional  path  offered  by  the  consul¬ 
tants.  The  board  was  swayed  and  approved  my  plans. 

The  Rewards  of  Taking  a  Different  Path 

We  left  our  business  units’  different  ERP  systems  in  place,  and 
we  built  a  simple  Internet-based  data-transport  system  that 
enabled  these  applications  to  exchange  documents  such  as 
purchase  orders,  invoices  and  advance  shipping  notices.  The 
data  transport  system  provided  the  connectivity  we  needed 
between  ERP  systems.  Then  I  signed  on  with  a  hosted  Web 
order  entry  and  catalog  system,  which  we  used  on  a  pay-as- 

you-go  basis.  These 
approaches  saved  tens 
of  millions  of  dollars. 
We  took  some  of  the 
savings  and  invested 
in  an  enterprise  data 
warehouse  and  a  busi¬ 


ness  intelligence  system.  Once  these  were  deployed,  our 
customers  could  go  to  our  website  and  generate  reports  as 
needed,  showing  their  purchases  by  product,  supplier  and 
location  over  any  time  period  from  one  day  to  two  years.  That 
made  us  stand  out  from  our  competitors. 

Later,  we  added  a  business  process  management  (BPM) 
system  to  monitor  data  transactions  flowing  through  our  sys¬ 
tems,  so  that  we  could  catch  mistakes  our  customers  made 
when  entering  their  orders.  Our  customer  service  people 


could  define  the  types  of  errors  they  wanted  to  categorize  (for 
instance,  whether  cups  were  ordered  without  lids).  If  the  BPM 
system  identified  an  error,  we  were  able  to  contact  the  cus¬ 
tomer  and  correct  the  mistake. 

These  decisions  produced  a  couple  of  very  favorable 
results.  The  first  was  that  my  company  was  more  profitable 
for  several  years  simply  because  we  didn’t  squander  our  hard- 
earned  cash  on  expensive  IT  projects.  The  second  result  was 
that  these  systems  enabled  us  to  be  more  responsive  to  the 
unique  needs  of  our  customers.  We  offered  suites  of  supply- 
chain  services  to  go  along  with  the  products  we  sold.  Our  busi¬ 
ness  intelligence  system  enabled  customers  to  better  manage 
their  own  planning,  budgeting  and  spending  on  the  products 
they  bought  from  us,  and  our  business  process  management 
system  enabled  us  to  maintain  consistently  high  service  levels. 
We  charged  slightly  higher  prices  for  our  products  and  still 
won  new  business  because  customers  wanted  the  services 
that  our  competitors  couldn’t  provide. 

The  lesson  is  this:  Whatever  company  or  industry  we  work 
in,  whether  we’re  in  the  public  or  private  sector,  as  CIOs  we’re 
all  pursuing  the  same  fundamental  goal— to  use  technology  to 
make  money  and  make  our  organizations  more  competitive. 
There  will  often  be  many  paths  to  achieving  that  goal.  As  tech¬ 
nology  leaders,  it’s  our  responsibility  to  determine  which  one 
is  best.  Having  a  healthy  skepticism  of  trends  and  a  commit¬ 
ment  to  considering  alternative  routes  is  central  to  our— and 
our  organizations’— success.  E3E2 


Mike  Hugos  is  a  partner  in  AgiLinks,  a  software  com¬ 
pany  specializing  in  agile  supply  chains.  He  is  the 
former  CIO  of  Network  Services  and  the  author  of 
Essentials  of  Supply  Chain  Management.  He  can  be 
reached  at  mhugos@yahoo.com.  Send  your  com¬ 
ments  to  leadership@cio.com. 


I  showed  the  board  how  to  get  what 
the  company  needed  faster  and  for 
a  lot  less  money  than  if  we  took  the 
conventional  path  offered  by  the 
consultants. 


More  About  Leadership 


Mike  Hugos  writes  about  LEADING  I.T.  in  his 
blog,  Doing  Business  in  Real-Time.  Find  it  online 
at  blogs.cio.com.  Listen  to  an  interview  with 
Hugos  at  www.cio.com/podcasts/ciotogo. 

cio.com 


44  SEPTEMBER  15,  2006  |  www.cio.com 


How  the  show  always  goes  on.  To  a  packed  house 

Whether  it  is  "Madama  Butterfly"  or  Michael  Buble,  every  ticket  at  Sydney  Opera  House  is  a  hot  one. 
That's  why  they  chose  HP  Integrity  servers  with  Intel®  Itanium5  2  processors.  Now  twelve  times  as 
many  customers  can  access  the  ticketing  system  simultaneously,  and  downtime  is  a  distant  memory. 
Norman  Gillespie,  CEO  says,  "Maintaining  our  reputation  is  crucial.  HP  Integrity  Itanium-based 
systems  help  ensure  our  customer  experience  is  virtually  flawless."  itanium-integrity.com 


ITANIUM  +  INTEGRITY.  ON  AND  ON  AND  ON 


Michael  Schrage 


IT'S 


ALL  ABOUT  THE  EXECUTION 


Process  Pantomime 

When  form  substitutes  for  substance,  you  have  an  IT  leadership  problem 


This  column  is  about  strategic  frustration:  mine, 
not  yours.  It  stems  from  complaints  IT  leaders 
and  managers  make  over  lunch,  in  workshops  and 
conferences.  They  need  their  problems  solved— 
Now!— and  want  to  vent. 

So  I  listen,  ask  questions  and  pay  close  attention  to  what 
they  say  and  how  they  say  it.  They’re  not  happy. 

On  occasion,  I  make  suggestions.  More  often  than  not,  their 
most  eloquent  response  is  a  dismissive  shrug.  “We  do  that 
already,”  they  say. 

Intriguingly,  they  don’t  say,  ”We  tried  that  and  it  doesn’t 
work,”  or  ’’Yeah,  we  have  trouble  doing  that  well,”  or  “We  never 
thought  about  it  quite  that  way”;  they  claim  they’re  already 
doing  it.  That’s  odd.  If  they  were  really  doing  it,  they  wouldn’t 
have  the  problem  they’re  complaining  about.  But  let’s  take 
people  at  their  word. 

Since  you’re  doing  what  I  suggest  already,  why  do  you  think 
the  process  isn’t  working?  The  answers  I  hear  invariably  sound 
fake.  The  truth— which  always  comes  out— is,  they  don’t  really 
“do  that  already.”  They’ve  never  done  “that”  in  any  meaningful 
way.  My  IT  complainers  aren’t  being  dishonest;  they’re  just  not 
being  honest.  More  precisely,  they’re  not  serious.  This  is  my 
great  frustration. 

Of  course,  my  frustration  reflects  their  strategic  failure, 
which  is  the  pathology  of  the  perfunctory  process.  That  is,  IT 
literally  goes  through  the  motions  without  doing  the  work.  The 
organization  is  living  a  process  pantomime  that  may  lead  to  a 
box  being  ticked  but  no  meaningful  work  being  done.  I’ve  lost 
track  of  the  number  of  times  an  e-mail,  conversation  or  onsite 
visit  reveals  that  IT  isn’t  doing  anything  remotely  near  what  its 


46  SEPTEMBER  15,  2006  |  www.cio.com 


ILLUSTRATION  BY  CHRIS  BUZELLI 


SECURITY' 


SonicWALL  SSL-VPN  2000 


Avaya  MultiVantage  Express 


Secure,  clientless  remote  access  for  your 
mobile  users 

Seamless  integration  behind  virtually  any  firewall 
Granular  policy  configuration  controls 
Powerful  SonicWALL  NetExtender  technology 


Offers  integrated,  single-server  solution  featuring 
Avaya 's  Communication  Manager  software 
Full  IP  Telephony  solution  features: 

-  Mobility  applications  to  notebooks 
and  cell  phones 

-Always  On  Conferencing 

-  Integrated  voice  messaging  with  auto  attendant 

-  Call  Center  routing  capabilities 

-  Ideal  for  100-500  users 


$1706" 


AVAyA 


CDW  840778 


MVE  Express  Bundle  S8500/G650  Call 
MVE  Express  Bundle  S8500/G700  Call 


RSA®  SecurlD®  Appliance  with  10  Tokens' 

•  Offers  strong  two-factor  authentication  for 
secure  remote  access 

•  Scalable  from  10  -  50,000  users  to  meet  your 
organization's  needs 


Avaya  One-X  Deskphone  -  9630  IP  Telephone 

•  Built  in ''one-touch”  access  to  top  Avaya 
Communication  Manager  functionality  like 

...  conferencing,  mobility  applications  and 

contact  information 

•  High  fidelity  audio 

•  Works  with  all  Avaya  solutions  using 
Communication  Manager  3.1  software 

AVAyA  Call  CDW  1 01 0563 


RSA  SecurlD  Appliance  Bundle  10-user 
Call  CDW  854205 


The  Security  Solutions  You  Need  When  You  Need  Them. 

You  know  security  threats  are  growing.  You  know  they're  becoming  more  sophisticated.  What  you 
don't  know  is  when  one  will  strike,  and  which  one  it  will  be.  The  key  is  to  solve  your  security  issues 
before  they  become  problems.  CDW  has  the  top-name  security  hardware  and  software  as  well  as 
the  technology  experts  to  help  you  proactively  improve  your  network  security.  So  call  today.  Instead 
of  hoping  your  network  is  ready,  wouldn't  you  rather  know? 


The  Right  Technology.  Right  Away. 
CDW.com  •  800.399.4CDW 


wmmmmm 


Additional  bundles/solutions  are  available;  call  your  CDW  account  manager  for  details.  Offer  subject  to  CDWs  standard  terms  and  conditions  of  sale, 
available  at  CDW.com.  ©  2006  CDW  Corporation. 


HU  Michael  Schrage 


IT'S  ALL  ABOUT  THE  EXECUTION 


leadership  says  it’s  doing.  On  the  contrary,  time,  money,  talent 
and  credibility  are  being  squandered. 


Empty  Gestures 

A  classic  example:  A  financial  services  firm  asked  me  to 
examine  why  its  Indian  outsourcer  did  such  an  awful  job  of 
responding  to  requirements  change  orders.  This  was  a  $200 
million-plus  outsourcing  deal  for  a  self-described  mission- 
critical  app  for  a  Fortune  200  firm.  The  project  was  already  late 
and  well  past  the  point  of  no  return  on  busting  the  budget. 

The  team  presented  its  case.  I  reviewed  the  requests  and 
saw  the  kinds  of  questions  and  code  coming  back. 

My  simple  suggestion:  Change  orders  should  go  out 
with  a  three-paragraph  brief  explaining  the  techni¬ 
cal  rationale,  the  business  rationale  and  the  likely 
testing  schema  for  the  change. 

The  team  leader  looked  at  me.  “We  do  that  already,”  he  said. 

Great.  Show  me.  He  sent  me  a  dozen  sample  change  requests. 
The  explanatory  briefs  for  each  one  of  them  were  unintelligible. 
They  were  filled  with  jargon,  acronyms  and  references  to  previ¬ 
ous  change  orders.  The  idea  that  someone  for  whom  English  is  a 
second  language  would  understand  the  brief  defies  belief. 

I  politely  point  this  out.  The  unfazed  team  leader  says,  “Yeah, 
that’s  why  we  have  the  telecons:  to  make  sure  they  understand 
the  changes  we’ve  sent  them.” 

He  thinks  that’s  healthy.  I  ask  if  any  notes  are  taken  at  these 
intercontinental  phone  meetings.  “Not  necessary,”  he  says. 
“[The  outsourcers]  send  an  e-mail  afterwards  confirming  that 
they  understand  the  change  order.” 

He’s  serious.  Worse  yet,  this  change  order  “process  man¬ 
agement”  template  for  the  outsourcer  was  also  supposed  to  be 
IT’s  system  documentation  platform.  The  truth  was  that  this 
team  had  a  change  order  process  in  name  only.  The  reality  was 
a  multimillion-dollar  mess,  facilitated  by  a  senior  leadership 
that  treated  “We  do  that  already”  as  a  sign  of  good  management 
rather  than  a  warning  that  a  corrupt  process  was  making  things 


worse. 


Empty  Suits 

The  central  issue  here  has  nothing  to  do  with  advice-resis¬ 
tant  clients  and  everything  to  do  with  pantomime  cultures 
of  perfunctory  processes.  The  process  checklist  has  become 
the  dominant  process  quality  metric.  The  quality  of  outcomes 
and  results  has  been  subordinated  to  the  ability  to  point  to  a 
document  confirming,  “We  do  that  already.”  The  process  has 
become  a  lie. 

This  is  not  a  process  failure  but  a  leadership  failure.  Why? 
Because,  by  definition,  healthy  processes  consistently  produce 
healthy  outcomes.  When  those  outcomes  are  unsatisfactory, 
integrity  demands  we  rigorously  reexamine  the  process  to  see 
if  it’s  become  sick  or  outdated.  To  say,  “We  do  that  already”  is 
to  deny  the  reality  of  and  accountability  for  process  sickness. 


Denying  both  reality  and  accountability  is  a  failure  of  charac¬ 
ter.  Failures  of  character  are  leadership  failures.  Yes,  incom¬ 
petent  people  sometimes  guarantee  unhealthy  processes.  But 
my  experience  has  me  looking  at  the  leadership. 

This  was  brutally  reinforced  at  a  software  development 
workshop  for  senior  IT  executives.  I  had  chosen  Tesco,  the 
well-managed,  surprisingly  profitable  British  supermarket 
company,  as  a  healthy  model  for  managing  software  innovation 
within  the  enterprise.  Tesco’s  IT  shop  has  three  inviolable  rules 
for  rolling  out  an  IT  innovation:  It  has  to  be  better  for  custom¬ 
ers,  cheaper  for  Tesco  and  simpler  for  employees. 


Healthy  processes  consistently 
produce  healthy  outcomes. 


The  third  criterion— simpler  for  employees— was  the  require¬ 
ment  that  killed  more  than  half  of  IT’s  innovation  initiatives. 
To  my  astonishment,  most  of  the  IT  executives  dismissed  that 
insight.  Simpler  for  employees?  We  do  that  already.  They  then 
complained  about  the  internal  resistance  they  faced  when  they 
tried  to  be  innovative. 

So  I  asked  who  “owned”  simpler  for  employees  in  their  orga¬ 
nizations.  The  answer:  Every  single  “we  do  that  already”  IT 
executive  except  one  admitted  that  no  one  in  his  shop  owned 
that  issue.  The  exception?  A  CIO  who  said  he  had  delegated 
“simpler”  to  a  human  factors  consultant.  Internal  resistance 
to  innovation  had  been  outsourced  to  an  external  consultant. 
That’s  not  delegation;  it’s  abdication  without  accountability. 
It’s  unserious. 

The  phrase  “We  do  that  already”  uttered  in  tones  of  tired 
contempt  is  positively  correlated  with  unseriousness.  Only 
someone  who  knows  he’s  not  really  at  risk  would  say  some¬ 
thing  so  provably  false.  If  you  know  you’re  going  to  get  rep¬ 
rimanded  or  punished  for  perfunctory  performance,  you’re 
smart  enough  to  keep  a  low  profile  and  your  mouth  shut.  You 
might  even  be  clever  enough  to  acknowledge  that  there  are 
some  things  we  don’t  do  as  well  as  we’d  like.  But  having  the 
arrogance  and  hubris  to  claim  you  do  something  when  you 
emphatically  don’t  is  tempting  fate  beyond  endurance. 

So  here’s  a  simple  suggestion:  Whenever  you’re  seriously 
complaining  to  someone  about  a  serious  IT  issue,  listen  to 
yourself.  If  you  catch  yourself  saying,  “We  do  that  already”  to 
sincerely  offered  advice,  you’ve  got  a  bigger  problem  than  the 
one  you’ve  been  describing.  You  might  want  to  pay  particular 
attention  to  any  direct  reports  who  respond  to  your  suggestions 
that  way.  That  phrase  means  your  process  is 
either  sick  or  nonexistent.  Fix  it.  BEH 


Michael  Schrage  is  codirector  of  the  MIT  Media  Lab’s 
eMarkets  Initiative.  He  can  be  reached  at  schrage@ 
media.mit.edu. 


48  SEPTEMBER  15,  2006  |  www.cio.com 


I 


In  business,  if  you’re  not  quick  enough,  opportunities  can  be  lost.  The  solution:  SAP  NetWeaver,  a  flexible,  fully  integrated  IT  platform  that 
enables  you  to  execute  innovative  new  strategies  as  fast  as  business  demands  them.  SAP’s  industry-specific  applications  are  built  with 
SAP  NetWeaver  according  to  a  common  enterprise  service-oriented  architecture,  allowing  for  easier  and  faster  business  process  change. 
That  means  you  can  transform  your  existing  IT  infrastructure  without  having  to  rip  and  replace.  To  learn  more,  visit  sap.com/netweaver 


| 

i 


: 


William  Alford  KEYN0TE 


Whose  Property? 
Whose  Rights? 


To  understand  the  Chinese  attitude  toward  intellectual  property  rights,  you  have  to  first 
understand  the  Chinese  attitude  toward  property  and  toward  rights. 


It’s  no  secret  that  the  People’s  Republic  of  China  poses 
an  enormous  challenge  for  proprietors  of  software 
and  other  intellectual  property.  The  Business  Software 
Alliance  estimates  that  some  90  percent  of  the  software 
running  on  Chinese  computers  is  being  used  illegally,  result¬ 
ing  in  losses  to  U.S.  companies  that  some  calculate  annually 
run  into  the  billions.  And  although  the  Chinese  government 
keeps  saying  it  will  address  the  problem,  its  own  offices  have 
yet  to  fully  cease  unauthorized  use  of  copyrighted  software. 

For  more  than  a  decade  and  a  half,  Washington  has  pushed 
Beijing  to  enact  better  policies  and  practices  for  IP  protec¬ 
tion.  In  the  early  1990s,  the  administration  of  George  Bush  Sr. 
joined  IP  protection  to  nuclear  nonproliferation  and  human 
rights  as  the  three  keys  to  improving  U.S. -China  relations.  The 
Clinton  administration  threatened  to  impose  what  then  would 
have  been  the  largest  trade  sanctions  in  history  if  China  did  not 
improve  its  performance,  and  the  current  Bush  administration 
has  made  enforcement  of  IP  rights  a  key  element  in  former 
U.S.  Trade  Representative  Rob  Portman’s  well-crafted  “Top  to 
Bottom  Review”  of  the  United  States’  China  policy.  But  so  far, 
neither  threats,  negotiations  nor  charm  have  had  their  desired 
effect,  and  IP  theft,  software  piracy  and  misuse  continue. 

The  Reality  on  Chinese  Ground 

One  reason  for  this  lack  of  success  is  that  all  these  approaches 
are  predicated  on  the  idea  that  the  issue  is  basically  one  of 
will— that  if  the  Chinese  authorities  wanted  to  do  something 
about  it,  they  could.  The  Chinese  government’s  will  certainly 
is  a  part  of  the  larger  picture.  The  development  of  special  intel¬ 
lectual  property  chambers  in  Chinese  courts— staffed  by  some 


50  SEPTEMBER  15,  2006  |  www.cio.com 


ILLUSTRATION  BY  VAL  BACHOV 


Alignment 

is  a  Beautiful  Thing 

FrontRange  Solutions®  IT  Service  Management: 
The  Right  Tool  to  Align  with  ITI L® 


You  know  that  ITIL  best  practices  can  radically  improve 
your  ability  to  deliver  IT  services  and  support  and  meet 
regulatory  requirements.  The  question  is,  what's  the  best 
way  to  implement  ITIL? 

Here's  your  answer.  FrontRange  IT  Service  Management 
(ITSM)  gives  you  the  tools  you  need  to  embrace  the  ITIL 
framework — at  your  own  pace,  cost-effectively,  and  with 
minimal  disruption. 

ITSM  is  a  proven,  enterprise-class,  standards-based,  ITIL 
process-aligned  product  suite  built  on  the  Microsoft®  .NET 
architecture.  ITSM  modules  integrate  easily  with  each 
other,  so  you  can  address  your  most  pressing  IT  problems 
now  and  add  new  capabilities  as  your  needs  grow.  No 
more  incompatibilities  between  multiple  point  products 
and  processes,  and  no  more  exorbitant  consulting  fees  as 
you  integrate  new  functionality. 

The  results:  streamlined  IT  practices,  better  IT  service  and 
support,  tighter  alignment  between  business  goals  and  IT 
realities,  and  more  resources  available  for  strategic 
initiatives  rather  than  "keep  the  lights  on"  activities. 

Stop  reacting  to  the  latest  IT  crisis.  Get  out  in  front  with  a 
proactive,  strategic,  long-term  solution.  Get  in  touch  with 
FrontRange  and  get  the  tools  you  need  to  take  IT  to  a 
higher  level. 


FrontRange 


> 


SOLUTIONS 


FrontRange  Solutions  Offers  Powerful  Modules 
Aligned  to  ITIL 

•  ITIL  Service  Support 

-  Incident  Management 

-  Problem  Management 

-  Change  Management 

-  Release  Management 

-  Configuration  Management 

•  ITIL  Service  Delivery 

-  Service  Level  Management 

-  Availability  Management 


Microsoft 

GOLD  CERTIFIED 

Partner 


|  SERVICE  SUPPORT  | 
^iafENHANCEil 


Rated  a  "Strong  Performer  for  Large  Enterprise  Tools" 
by  Forrester  Research 

-  Source:  Wave  Ranking  for  Service  Desk,  Q1  2006 


To  learn  more  and  see  our  demo,  visit: 
www.frontrange.com/CIO 


Get 


Out 


in 


Front. 


Copyright  ©  2006  FrontRange  Solutions  USA  Inc  All  rights  reserved.  FrontRange  Solutions  and  FrontRange  are  registered  trademarks  or  trademarks  of  FrontRange  Solutions  USA  Inc.  in  the  United  States  and  other  countries. 
Other  trademarks  a  trade  names  are  the  property  of  their  respective  owners. 


William  Alford  keynote 


of  the  nation’s  best-qualified  jurists  and  lauded  by  the  Inter¬ 
national  Intellectual  Property  Alliance— is  indicative  of  what 
can  happen  when  the  will  to  change  is  present.  And  the  diffi¬ 
culties  that  General  Motors  Daewoo  faced  with  the  unauthor¬ 
ized  copying  of  its  automobiles  by  a  major  factory  in  Anhui 
province  said  to  have  links  to  Chinese 
government  officials  sadly  affirm  what 
happens  when  it  isn’t. 

And  yet,  will  is  not  enough.  Lying 
at  the  heart  of  the  problem  is  the  even 
more  daunting  challenge  of  China’s  his¬ 
tory  and  institutions.  To  take  note  of 
these  realities  is  not  to  apologize  for  IP 
infringement  but,  on  the  contrary,  a  way 
to  begin  to  understand  what  lies  at  the 
heart  of  the  problem. 

The  Chinese  Perspective 

History  does  matter.  As  I  discuss  in  my  book  To  Steal  a  Book 
Is  an  Elegant  Offense  (parts  of  which  have  recently  been  used 
without  attribution  or  authorization  by  a  Chinese  professor 
of  intellectual  property  law!),  there  was  nothing  comparable 
to  our  idea  of  intellectual  property  protection  in  China  prior 
to  its  introduction  by  the  West  in  the  early  20th  century.  The 
emperors  who  ruled  China  prior  to  the  20th  century  were, 
indeed,  concerned  about  unauthorized  publication— but  solely 
for  the  purpose  of  controlling  what  was  disseminated,  not  for 
promoting  private,  individual  expression. 

Western  ideas  of  intellectual  property  were  introduced  in 
the  early  20th  century  but,  unfortunately,  this  was  too  often 
done  via  threats,  and  to  protect  Western  economic  interests. 
The  consequence  was  that  many  Chinese  came  to  understand 
the  concept  of  intellectual  property  as  a  foreign  imposition. 
Furthermore,  the  chaos  that  characterized  the  first  half  of  the 
20th  century  and  the  impact  of  Marxist  theories  of  collective 
ownership  that  marked  the  next  three  decades  meant  it  was 
not  until  the  1980s  that  we  saw  the  introduction  of  modern 
notions  of  intellectual  property  in  China.  Even  now,  for  many 
Chinese  citizens,  these  remain  novel  and  alien  ideas. 

To  this  intellectual  mix,  we  need  to  add  the  nature  of  today’s 
Chinese  institutions.  Because  China  is  not  democratic,  we 
assume  that  its  leaders  can  exert  their  will  as  they  wish.  In 
reality,  their  efforts  fall  well  short  of  what  they  would  like, 
even  in  areas  about  which  they  care  deeply  (such  as  control¬ 
ling  the  Internet)  because  coercion,  ultimately,  is  no  substitute 
for  effective  institutions  running  on  their  own  and  enjoy¬ 
ing  popular  support.  Indeed,  it’s  hard  to  think  of  an  area  of 
Chinese  law  today  that  routinely  operates  as  intended.  The 
problems  of  insufficient  legal  consciousness  and  expertise, 
local  favoritism  and  corruption  that  aggravate  enforcement 
of  intellectual  property  rights  also  crop  up  across  the  board 
in  Chinese  legal  affairs. 


What  We  Need  to  Do 

If  we  want  to  create  a  better  climate  for  intellectual  property 
protection  in  China,  we  need  to  do  what  we  can  to  promote 
better  and  broader  public  understanding  of  these  rights  and 
help  build  better  institutions.  This  means  working  to  educate 


people  not  only  about  IP  but  about  rights— both  human  and 
economic— in  general,  for  it  is  unrealistic  to  expect  that  a  people 
will  pay  attention  to  the  complex  abstract  rights  of  foreigners 
if  they  are  not  accustomed  to  asserting  their  own. 

This  also  means  that  there  ought  to  be  more  support— from 
our  government  and  from  private  sources  alike— for  programs 
that  foster  the  development  of  legal  institutions  and  the  growth 
of  civil  society.  Contrary  to  the  conventional  wisdom,  a  greater 
attention  on  the  part  of  the  business  community  to  issues  of 
human  rights  is  likely  to  advance,  rather  than  impede,  the 
realization  of  economic  objectives  in  China,  such  as  greater 
protection  for  IP  rights. 

The  foundational  reasoning  for  this  is  the  proposition  that 
there  is  a  far  closer  correlation  between  a  strong  civil  soci¬ 
ety  and  strong  IP  protection  than  there  is  between  a  strong 
state  and  strong  IP  protection.  Put  differently,  intellectual 
property  protection  flourishes  in  states  that  nurture  free 
expression  and  free  association.  This  ought  not  be  surpris¬ 
ing  when  you  think  that  in  such  states  citizens  have  more  pri¬ 
vate  expression  and  other  private  interests  to  protect,  have  a 
greater  consciousness  of  their  own  rights,  are  better  able  to 
band  together  to  protect  their  interests  and  have  more  in  the 
way  of  rights-protecting  institutions  on  which  to  call. 

There  are  no  quick  or  easy  fixes  to  the  problem  of  IP 
infringement  in  China,  but  that  doesn’t  mean  we  should 
despair,  or  that  the  die  is  irrevocably  cast.  As  the  Confucian 
classics  suggest,  understanding  the  true  nature  of  a  problem 
is  the  first  step  toward  its  resolution.  QQ 


William  P.  Alford  is  the  Henry  L.  Stimson  Professor  of  Law,  the  Vice 
Dean  for  the  Graduate  Program  and  International  Legal  Studies, 
and  the  Director  of  East  Asian  Legal  Studies  at  Har¬ 
vard  Law  School.  He  is  the  author  of  To  Steal  a  Book 
Is  an  Elegant  Offense:  Intellectual  Property  Law  in 
Chinese  Civilization  (Stanford  University  Press, 

1995).  Send  comments  on  this  column  to  letters@ 
cio.com. 


Because  China  is  not  democratic, 
we  assume  that  its  leaders  can  exert 
their  will  as  they  wish.  In  reality,  their 
efforts  fall  well  short  of  what  they 
would  like,  even  in  areas  about  which 
they  care  deeply. 


52  SEPTEMBER  15,  2006  I  www.cio.com 


j 

r  ! 

1 

i  * )' j 

:  .  i 

£ 

1 

■ 

I 

; 

j 

:  ..1 

i 

I  iJ-y. 

r 

R-r. 

% 

; 

ISa 

If  :-s  i 

H' 

1 44 

•Mil 


AL  IP  PROVIDER? 


;  'l  T''  2 


1  'V  -i’1' *  . 


;.  ’.*  v  %  ■>'*.;  >-  •  ;•, <"  "X” 


■  ' 


'SSi 

"  •  •;>  w;  >V-.  v  .-  ■ 


BJfciPSatSk*  •  <i 


i-  ■£&&&** 


MM 

IsX- • .-..  r*  "*•  . 


•  v*  V  •  .*  - 

:  -A-"'; 


TAvVr--' 

*  *'  '' 

x-"  ■'**•;*'/  >:  ’  ‘  •  •  '  AArV>*/  * 


^■iiir 

•  •»'*  r 


>  •  ■ 

. 


* 


THERE  IS  AN  ALTERNATIVE 

Your  global  IP  carrier  should  set  you  free,  not  hold 
you  down.  It  should  be  nimble  and  flexible  enough 
to  deliver  innovative  IP  solutions  and  superior 
support  yet  expansive  enough  to  offer  the  global 
scope  and  scale  your  business  requires.  Enter 
Global  Crossing.  Our  wholly-owned  global  IP 
network  connects  you  virtually  anywhere  instantly. 
It  works  effortlessly  with  your  current  legacy  system 
and  with  IP -services  yet  to  be  envisioned.  All  with 
the  security,  support  and  control  you'd  expect 
from  an  industry  leader.  It's  no  vyonder  so  many 
FORTUNE  I>00®  companies  depend  on  us.  Learn 
more  at  .www.globalcrbs5ing.com 


•  •  *v N*  -  -T .  -  *  •  -.-'w.  t 1 . ' 

t ' 

A  -?-*i 

A 

IN 


r.  ^ 

"*r  V  *  \  <*■  . 


.  . 

.  v 

**  V 


Global  Crossing  Holdings  Limited 


Cover  Story  |  Change  Management 


Nothing  is  more  frustrating  than 
trying  to  get  people  to  alter  the 
way  they  do  things.  New  research 
reveals  why  it’s  so  hard  and  sugg  ssts 
strategies  to  make  it  easier. 


K 


Kevin  Sparks  has  been 
trying  to  get  his  staff  to 
change  the  way  it  moni¬ 
tors  and  supports  the  data  center 
for  the  past  year. 

But  he  hasn’t  been  getting  any¬ 
where. 


Not  that  he’s  getting  resistance. 
At  least  not  overtly.  His  staffers  at 
Blue  Cross  and  Blue  Shield  of  Kan¬ 
sas  City  agree  that  installing  auto¬ 
mated  monitoring  software,  along 
with  a  centralized  control  room 
and  a  set  of  standard  process*  \s  for 


responding  to  problems,  would  be 
more  efficient  than  the  way  they 
deal  with  things  now— mostly 
through  ad  i  toe  heroism. 

“Logic  always  prevails  and 
everyone  will  agree— at  the  intel¬ 
lectual  level— that  we  need  to 
change  things,”  says  Sparks,  who 
is  vice  president  and  CIO.  But  then 
he  finds  himself  surrounded  by 
empty  chairs  at  meetings  while 


15.  2006  55 


Why  the  brain  experi¬ 
ences  change  as  pain 

How  to  change  the 
pain  to  pleasure 

Management  strategies 
that  will  help  people 
accept  change 


www.cio.com  |.  SEPTEMBE' 


Cover  Story  |  Change  Management 


the  people  who  should  be  sitting  there  are 
off  fighting  the  latest  fire. 

“I  tell  them  I  need  them  at  the  meetings 
and  if  we  changed  things  they’d  have  the 
time  to  be  there.  But  things  always  break 
down  when  we  talk  about  taking  monitor¬ 
ing  out  of  their  hands  [through  automa¬ 
tion],”  Sparks  says. 

To  help  his  staff  accept  the  new  pro¬ 
cesses,  Sparks  says  he’s  taken  layoffs  off 
the  table,  even  though  the  proposed  auto¬ 
mation  and  process  efficiencies  could 
reduce  the  need  for  bodies.  The  change 
is  part  of  a  larger  effort  to  implement  the 
IT  Infrastructure  Library  (ITIL)  process 
framework  to  improve  overall  productiv¬ 
ity  (for  more  on  ITIL,  see  “ITIL  Power,” 
www.  cio.  com/090105).  “I  don’t  want  fewer 
people;  I  want  the  ones  I  have  to  do  more 
things,”  he  says,  sighing  with  frustration. 

In  other  words,  Sparks’s  staff  doesn’t 
seem  to  have  any  logical  reason  for  resist¬ 
ing  the  changes.  But  before  you  dismiss 
them  as  a  bunch  of  inflexible,  fearful  los¬ 
ers,  know  this; 

They  are  you  and  you  are  they. 


A  Universal  Truth 

aybe  your  resistance 
to  change  manifests 
itself  in  a  different 
way  or  in  a  different 
setting— a  refusal  to 
throw  away  that  old  slide  rule,  for  exam¬ 
ple,  or  to  look  while  the  nurse  draws  your 
blood,  or  to  dance  at  weddings.  We  all 
refuse  to  change  our  ways  for  reasons  that 
are  often  hard  to  articulate. 

Until,  that  is,  you  begin  looking  at  it 
from  a  scientific  perspective.  In  the  past 
few  years,  improvements  in  brain  analy¬ 
sis  technology  have  allowed  researchers 
to  track  the  energy  of  a  thought  coursing 
through  the  brain  in  much  the  same  way 
that  they  can  track  blood  flowing  through 
the  circulatory  system.  Watching  differ¬ 
ent  areas  of  the  brain  light  up  in  response 
to  specific  thoughts  has  brought  a  new 
understanding  to  Continued  on  Page  60 


Though  we’ve  heard  these  nostrums  over  and  over,  scientific 
research  proves  that  they  work 

1.  Stay  on  message.  The  brain  needs  repetition  to  move  a  concept  from  the 
prefrontal  cortex,  which  handles  unfamiliar  concepts  and  complex  decisions, 
to  the  basal  ganglia,  where  habits  are  stored.  For  new  concepts  to  become  hard- 

I  wired,  those  pathways  have  to  be  reinforced  continually. 

2.  Keep  it  simple.  The  prefrontal  cortex  can  entertain  only  a  handful  of  con¬ 
cepts  at  a  time.  Therefore,  complex  projects  need  to  be  refined  to  one  or  two 
goals  that  businesspeople  can  easily  understand  so  that  their  prefrontal  cor¬ 
texes  do  not  become  overwhelmed,  causing  fatigue  and  the  psychological  and 
physical  distress  that  leads  to  anger. 

3.  Expect  lear.  When  the  decision-making  part  of  the  brain  (the  prefrontal 

I  cortex)  becomes  overwhelmed,  it  sends  out  signals  to  the  primitive  area  of  the 
brain  (the  amygdala)  that  controls  the  fight-or-f light  response.  This  generates 
feelings  of  fear,  anger  and  sadness.  Budget  for  these  emotions  in  your  staff. 

4.  Let  them  own  the  change.  There  is  one  aspect  of  change  that  scien¬ 
tists  believe  generates  pleasurable  sensations:  the  epiphany,  that  moment  of 

I  personal  insight  when  people  feel  they  personally  have  come  to  terms  with  an 
issue. 

5.  Lead  by  not  leading.  The  prefrontal  cortex  is  always  on  high  alert,  look¬ 
ing  for  signals  that  all  is  not  right.  Ordering  people  around,  painting  pictures  of 
the  world  that  don’t  line  up  with  people’s  own  realities  or  goals,  or  even  offering 
friendly,  well-meaning  advice  can  produce  distracting,  fearful  sensations. 

6.  Show,  don't  tell.  Learning  what  to  do  elicits  pleasurable  sensations:  being 
told  what  to  do  causes  the  brain  to  produce  fearful,  angry  messages. 

7.  Provide  experience.  People  resist  change  because  they  can’t  imagine 
what  it  will  be  like  to  fill  a  role  different  from  the  one  they  know.  Allowing  people 
to  experience  epiphanies  in  a  new  role  in  a  controlled,  safe  way— such  as  putting 
an  IT  person  to  work  in  a  retail  bank  before  starting  a  project  there— can  help 
everyone  adapt. 

8.  Focus  on  the  big  picture.  Even  though  our  brains  all  share  some  basic, 

I  high-level  wiring,  our  life  experiences  make  each  of  us  unique;  therefore,  there 
is  no  way  to  paint  a  detailed  picture  of  a  complex  project  or  change  that  will  look 
the  same  to  everyone. 

9.  Seek  compliance  before  commitment.  Neither  rewards  nor  punish¬ 
ments  lead  to  the  personal  epiphanies  that  people  need  to  experience  in  order 
to  change.  Clarify  what  people  need  to  do,  then  step  aside,  allowing  them  to 
discover  the  benefits  of  the  new  processes  for  themselves. 

10.  Make  it  a  personally  relevant  story.  Well-told  stories  are  powerful. 

!But  they  need  to  speak  to  the  personal  interests  of  the  people  affected  by  the 
change  in  order  to  appeal  to  the  prefrontal  cortex,  placate  the  amygdala  and 
spark  the  epiphanies  that  allow  people  to  change.  -C.K. 


56  SEPTEMBER  15,  2006  |  www.cio.com 


WHITE  PAPER: 


deliver  a  higher  level  of  service  with  reduced  costs.  The 
challenge  is  how  to  manage  the  enterprise  and  link  with 
the  business,  while  also  doing  "more  with  less." 


Re: 

Alignment 


Custom  Publishing 


How  to  Deliver  Management  Solutions 
to  Address  Critical  IT  Challenges 


»  EXECUTIVE  SUMMARY  How  to  demon¬ 
strate  IT's  business  value?  It’s  one  of  the  CIO's  great¬ 
est  challenges.  The  solution:  Business/IT  alignment. 
Proper  alignment  enables  the  CIO  to  map  priorities 
to  business  requirements,  while  also  ensuring  that 
IT  stays  rooted  in  a  business  context.  Read  this 
piece  for  alignment  insights  from  HP  and  IDC. 


Business/IT  alignment  is  the  talk  of  the  boardroom.  Yet, 
it's  one  thing  to  discuss  alignment.  Building  the  strategy 
into  the  enterprise  is  another  matter. 


The  challenge  of  addressing  this  issue  sets  the  stage  for  a 
thought-provoking  conversation  between  senior  executives 
at  HP  and  IDC. 


"Business  and  IT  alignment  is  a  perennial  hot  topic  for 
CIOs  seeking  to  maximize  the  ability  to  drive  business 
value,"  says  Stephen  Elliot,  Research  Director  for  IDC's 
Enterprise  Systems  Management  Software  Service,  in  a 
global  webcast  interview  with  Ken  Hollywood,  HP's 
Regional  Chief  Technology  Officer  (CTO),  Management 
Software  for  the  Americas  and  Asia  Pacific. 


The  building  blocks  to  successful  enterprise  management 
must  incorporate  a  business-external  focus,  as  well  as  an 
IT  process  &  operations  focus.  Success  depends  on  the 
ability  to  align  IT  to  business,  automate  processes  and 
develop  and  optimize  strategic  architecture. 


"How  do  I  measure  and  monitor  what  I  am  doing  in  the 
business  and  demonstrate  that  we  are  delivering  on  that?" 
asks  Hollywood,  pinpointing  the  key  challenges  facing 
CIOs  today.  "How  can  I  use  IT  to  better  enable  business 
advantage?" 

CIOs  today  are  under  intense  pressure  to  demonstrate  IT 
value  to  business,  manage  and  adapt  to  change,  and 


As  organizations  strive  to  effectively  align  business  and  IT, 
they  seek  solutions  to  align  the  IT  infrastructure  with 
Business  Processes  while  enabling  them  to  achieve  compli¬ 
ance.  Key  elements  in  this  solution  strategy  include: 

•  Service  Level  Management 

•  Automating  the  business  objective  and  IT  infrastructure 
.linkage 

•  Best  Practices  to  drive  a  closed  loop  system 


1 


ADVERTISING  SUPPLEMENT 


Custom  Publishing 


invent 


"How  do  I  measure  and  monitor  what  I  am  doing  in  the 
business  and  demonstrate  that  we  are  delivering  on  that?” 

—  KEN  HOLLYWOOD,  HP 


IT  Process  Automation 

IT  process  automation  is  critical  as  organizations  work 
toward  true  business  and  IT  alignment.  Industry  research 
shows  that  automation  improves  business  and  IT 
processes.  Technology  that  automates  risk  and  control 
management  is  essential. 

A  key  executive  challenge  is  automating  and  linking  with 
business  objectives  and  IT  infrastructure.  For  instance, 
how  do  you  approach  Service  Level  Management  in  align¬ 
ing  IT  infrastructure  goals  and  business  priorities?  And 
how  do  you  optimize  the  tough  tradeoffs  between 
staff/service  levels,  cost  and  business  impact? 

This  new  HP  and  IDC  webcast  draws  upon  HP  executive 
insight  and  IDC  research  analysis  to  help  CIOs  achieve 
successful  enterprise  management  -  and  "do  more  with 
less.”  Specifically,  Hollywood  and  Elliott  discuss  how  to 
incorporate  into  strategy  these  critical  success  factors: 

•  Industry  best  practices  such  as  ITIL 

•  How  to  design  new  business  processes  within  your  IT 
infrastructure 

•  How  to  build  and  quantify  the  right  metrics 


Expert  Insight: 
Compliance  and 
Governance 

"IDC  encourages  progressive  enterprises  to  turn  the 
corner  and  realize  that  the  burden  of  compliance 
with  information-intensive  legislation  can  be  con¬ 
verted  to  an  opportunity  to  refine  IT  processes  and 
systems,  to  strengthen  IT  governance,  and  to  aim 
for  a  positive  return  on  compliance  investments.  The 
past  two  years  have  seen  a  steep  learning  curve, 
which  is  a  good  thing.  Much  has  been  learned  about 
the  value  of  careful  instrumentation  of  IT  infrastruc¬ 
ture  and  automated  analysis  of  key  indicators.  HP's 
sustainable  compliance  strategy,  supported  by  the 
HP  OpenView  IT  governance  solutions,  including 
OpenView  Compliance  Manager,  should  be  on  an 
enterprise's  short  list  for  careful  evaluation.” 

Source:  IDC  White  Paper:  "Compliance  and  Governance:  Changing  the  Game 
for  IT,”  Kathleen  Wilhide,  March  2006 


Tune  in  To  Learn  More 
About  Alignment 

To  hear  more  about  business/IT  alignment  strate¬ 
gies  and  solutions  from  Ken  Hollywood  and 
Stephen  Elliott,  follow  this  link: 
http://www.accelacast.com/programs/hp_aligning 

Topics  tackled  in  this  webcast  include: 

•  Effectively  aligning  business  and  IT 

•  Aligning  the  IT  infrastructure  with  business 
processes 

•  Service  Level  Management  by  aligning  IT  goals 

•  Automating  the  business  objective  and  IT  infra¬ 
structure  linkage 

•  Best  practices  to  drive  a  closed  loop  system 

•  How  this  approach  helps  CIOs  achieve  compli¬ 
ance  in  IT  governance 


“The  major  first  step  is  to  build  a  bridge  with  the  busi¬ 
ness,”  Hollywood  says.  “Build  a  bridge,  try  to  get  consis¬ 
tent  metrics,  and  then  do  continuous  improvement.” 

Infrastructure  Optimization 

A  closed  loop  system  can  help  achieve  true  business  and 
IT  alignment.  Effective  use  of  business  metrics  is  critical  to 
success.  IT  priorities  must  match  to  business  requirements, 
including  key  measurement,  monitoring  and  performance 
indicators.  With  true  business  and  IT  alignment,  the 
closed  loop  comes  from  the  business,  while  IT  measures 
and  monitors  the  processes.  The  net-net:  Reduced  costs 
and  better  control. 

This  infrastructure  optimization  also  helps  CIOs  achieve 
compliance  in  meeting  their  IT  governance  objectives. 
Meanwhile,  with  tightly  coupled  business  and  IT  integra¬ 
tion,  organizations  can  better  manage  risk  continuously, 
deliver  better  services  and  address  customer  needs  and 
expectations. 

"It's  about  automation  and  operationalizing  and 
automating  that  link,  building  it  into  how  the  enterprise 
does  business,"  says  IDC's  Elliot. 


2 


2006  ANNUAL  AWARD  WINNERS 

Congratulations! 


The  2006  CIO  100  honorees  were 
selected  for  achieving  important 
business  goals  through  the  innovative 
use  of  IT.  Innovation  was  a  continous 
topic  at  the  CIO  100  sympsoim,  where 
the  CIO  100  received  their  award. 

The  following  supporting  companies 
continue  the  conversation  online  with 
the  CIO  100  podcast  series  exploring 
the  topic  of  innovation. 


Tune  in  at: 

www.cio.com/podcasts/ 

innovationpodcasts.html 


amd£I  Apani 

Smarter  Choice 


Legendary  Reliability* 


at&t 


/V\rMAr 

VJUVIS'lSVM 


EMC2 

where  information  lives* 


FUJITSU 


orange" 


Business  perotsystems*  prim  aver  a 

Services 


SIEMENS 


5 


sterling 

commerce 


An  AT&T  Company 


Sybase 


CIO  100  is  Presented  by 


Business 

Technology 

Leadership 


2006  CIO  100  Honorees 

A.  Duie  Pyle 
Advanced  Health  Media 
Aflac 

Afloat  Training  Group 
AIG  Domestic  Brokerage  Group 
Air  Force  Reserve  Command,  H.Q. 
Alere  Medical 
APL  Logistics 
Applera 
Atmos  Energy 
Austin  Energy 
Ball  State  University 
Baptist  Health  South  Florida 
Berlin  Packaging 
Broward  County  Office  of 
Information  Technology 
BT  Group 

Capital  One  Financial 
Case  Western  Reserve  University 
CompuCredit 
ConocoPhillips  Refining 
and  Marketing 
Con-Way 

Cooper  Communities 
CSX  Technology 
Defense  Logistics  Agency 
Dell 

Deutsche  Bank  Securities 
Discover  Financial  Services 
Drexel  University 
Dunham  and  Smith  Agencies 
E*TRADE  Financial 
EchoStar  Satellite 
Fairfax  County  Public  Schools 
Federal  Financial  Institutions 
Examination  Council 
FedEx  Ground  Package  System 
Foley  &  Lardner 
General  Motors 

Goodwill  Industries  International 
The  Goodyear  Tire  &  Rubber  Co. 
Great  American  Financial  Resources 
Harrahs  Entertainment 
Hess 

Highmark 

Hitachi  Global  Storage  Technologies 

Hygeia 

ING  Group 

Intel 

International  Truck  and  Engine 
Intrax  Cultural  Exchnage 
Iowa  Department  of  Administrative 
Services 
JEA 

King  County 


KnowledgeBase  Marketing 
Lance  Armstrong  Foundation 
Lifespan 
Litle  &  Co. 

Lord,  Abbett&Co. 

Marriott  International 
MediSend  International 
MoneyGram  International 
Monsanto 

Nanyang  Polytechnic 
Network  Services  Co. 

Nexsen  Pruet  Adams  Kleemeier 
Nielsen  Media  Research 
NOAA  Undersea  Research  Center 
Northrop  Grumman 
Oakland  County  Michigan 
Ochsner  Clinic  Foundation 
The  Ohio  State  University  Medical 
Center 

Oregon  State  University 
Panasonic  Automotive  Systems 
Co.  of  America 
Partners  Healthcare 
Pfizer 

Pierce  County 
Pitt  County 

PNC  Financial  Services  Group 
The  Procter  &  Gamble  Co. 
Quicken  Loans 
Royal  Bank  of  Canada 
Russell  Investment  Group 
Sarasota  County  Government 
Shell  Vacations 
SIRVA 

Society  of  Worldwide  Interbank 
Financial  Telecommunication 
Southern  Co. 

SRL  Ranbaxy 
Taleo 

Trico  Products 
United  Parcel  Service 
United  States  Marine  Corps 
Systems  Command 
University  of  Chicago  Hospitals 
University  of  Missouri  -  Rolla 
University  of  Rochester 
The  University  of  Texas  M.  D. 

Anderson  Cancer  Center 
Vanguard 

Wake  Forest  University 
Washington  Metropolitan  Area 
Transit  Authority 
Washtenaw  County 
Wells  Fargo  Wholesale  Internet 
&  Treasury  Solutions 
YRC  Worldwide 


A  Stock  Market  Processing  300  Million  Transactions  a  Day. 

Running  on  Microsoft  SQL  Server  2005. 


pND  3EY0ND. 


jm  i  y 

y\ 

NASDAQ,  the  largest  U.S.  electronic  stock  market,  lists  companies  from  37  countries. 
Their  crucial  trading  and  messaging  systems  use  SQL  Server™  2005  to  handle  up  to 
64,000  transactions  per  second  with  99.999%  uptime*  See  how  at  microsoft.com/bigdata 


Microsoft' 

SQL  Server  2005 


esults  not  typical,  and  act?  based  on  use  with  Windows  ServerT;MeWWferP|e  Edition.  Availability  is  depenctern-orrmany  facfcre^tnuqinq^afflpiWMLI  kbllwuie  t9B*»«o4o(JIW  mission-critical 
I  operational  processes  and  professional  services  ©  2006  Microsoft  Corpi3^^B3UfC4*gliU.7tIerved.  Microsoft,  Windows  Server,  oi:>»^ir  frete.Wral  Our  passion, '  are  either  registered  trademarks 
fdemarks  of  Microsoft  Coiporation  in  the  United  States  anff/or-ether  cou^iiaihe  names  of  actual  companies  and  products  mSmtonecyjerejjygay  be  the  trademarks  of  their  respective  owners 


Cover  Story  |  Change  Management  Continued  from  Page  56 


Pictures  of  the  brain  show  that  our 
responses  to  change  are  predictable  and 
universal.  From  a  neurological  perspective 
we  all  respond  to  change  in  the  same  way: 

We  try  to  avoid  it. 


the  corporeal  mechanics  of  psychology  in  general  and  to  our 
response  to  change  in  particular. 

These  advances  are  bringing  a  much-needed  hard  founda¬ 
tion  of  science  to  a  leadership  challenge  that  to  CIOs  has  long 
seemed  hopelessly  soft  and  poorly  defined:  change  manage¬ 
ment.  Pictures  don’t  (usually)  lie,  and  the  pictures  of  the  brain 
show  that  our  responses  to  change  are  predictable  and  univer¬ 
sal.  From  a  neurological  perspective,  we  all  respond  to  change 
in  the  same  way:  We  try  to  avoid  it.  But  understanding  the 
brain’s  chemistry  and  mechanics  has  led  to  insights  that  can 
help  CIOs  ameliorate  the  pain  of  change  and  improve  people’s 
abilities  to  adapt  to  new  ways  of  doing  things. 

Why  Change  Is  Painful 

Change  hurts.  Not  the  boo-hoo,  woe-is-me 
kind  of  hurt  that  executives  tend  to  dismiss 
as  an  affliction  of  the  weak  and  sentimental, 
but  actual  physical  and  psychological  dis¬ 
comfort.  And  the  brain  pictures  prove  it. 
Change  lights  up  an  area  of  the  brain,  the  prefrontal 
cortex,  which  is  like  RAM  memory  in  a  PC.  The  prefron¬ 
tal  cortex  is  fast  and  agile,  able  to  hold  multiple  threads  of 
logic  at  once  to  enable  quick  calculations.  But  like  RAM, 
the  prefrontal  cortex’s  capacity  is  finite— it  can  deal  com¬ 
fortably  with  only  a  handful  of  concepts  before  bumping 
up  against  limits.  That  bump  generates  a  palpable  sense 
of  discomfort  and  produces  fatigue  and  even  anger.  That’s 
because  the  prefrontal  cortex  is  tightly  linked  to  the  primi¬ 
tive  emotional  center  of  the  brain,  the  amygdala,  which 
controls  our  fight-or-flight  response. 

The  prefrontal  cortex  crashes  easily  because  it  burns  lots 
of  fuel  of  the  high-octane  variety:  glucose,  or  blood  sugar, 
which  is  metabolically  expensive  for  the  body  to  produce. 

Given  the  high  energy  cost  of  running  the  prefrontal 
cortex,  the  brain  prefers  to  run  off  its  hard  drive,  known  as 
the  basal  ganglia,  which  has  a  much  larger  storage  capacity 
and  sips,  not  gulps,  fuel.  This  is  the  part  of  the  brain  that 
stores  the  hardwired  memories  and  habits  that  dominate 
our  daily  lives. 

“Most  of  the  time  the  basal  ganglia  are  more  or  less 
running  the  show,”  says  Jeffrey  M.  Schwartz,  research 


psychiatrist  at  the  School  of  Medicine  at  the  University  of 
California  at  Los  Angeles.  “It  controls  habit-based  behavior 
that  we  don’t  have  to  think  about  doing.”  Like,  for  instance, 
many  aspects  of  our  jobs. 

The  interplay  between  the  basal  ganglia  and  the  pre¬ 
frontal  cortex  helps  explain  the  resistance  of  Sparks’s  staff 
to  his  proposed  changes.  Even  though  fire  fighting  takes 
more  time  and  effort,  the  overall  approach  is  familiar,  and 
the  outcome  (one  way  or  another,  the  problem  always  gets 
fixed)  is  comfortingly  predictable.  Doing  the  fire  fighting 
the  way  Sparks’s  staff  has  always  done  it  draws  upon  the 
basal  ganglia  and  burns  less  fuel  than  making  a  change  and 
involving  the  prefrontal  cortex. 

But  resistance  to  change  is  not  ineluctable.  The  prefrontal 
cortex  has  its  limitations,  but  it  is  also  capable  of  insight  and 
self-control.  It’s  what  makes  us  human— the  ability  to  be  aware 
of  our  habitual  impulses  and  do  something  about  them. 

“The  prefrontal  cortex  is  extremely  influential  in  our 
behavior,  but  it  does  not  have  to  be  completely  determina¬ 
tive,”  says  Schwartz.  “We  can  make  decisions  about  how 
much  we  want  to  be  influenced  by  our  animal  biology.” 

Carrot  and  Stick:  The  Flaw 

nfortunately,  traditional  change  manage¬ 
ment  tactics  are  based  more  in  animal 
training  than  in  human  psychology.  Lead¬ 
ers  promise  bonuses  and  promotions  to 
those  who  go  along  with  the  change  (the 
carrot)  and  punish  those  who  don’t  with  less  important 
work  and  the  potential  loss  of  their  jobs  (the  stick). 

Though  no  conclusive  research  has  yet  been  done,  sur¬ 
veys  have  shown  that  people’s  primary  motivation  in  the 
workplace  is  neither  money  nor  advancement  but  rather  a 
personal  interest  in  their  jobs,  a  good  environment  and  ful¬ 
filling  relationships  with  colleagues.  The  effects  of  bonuses, 
promotions  and  reprimands,  though  real  and  measurable, 
are  all  temporary. 

“The  carrot-and-stick  approach  works  at  the  system- 
wide  level— offering  cash  bonuses  to  the  sales  department 
to  increase  the  number  of  customers  in  Latin  America  will 
get  you  more  customers  there,  for  example— but  at  a  per- 


60 


SEPTEMBER  15,  2006  |  www.cio.com 


Introducing  the  Avaya 


In  fact,  business  professionals  estimate 


IF  YOU’RE  NOT 


USING  INTELLIGENT 
COMMUNICATIONS, 

WHAT  SORT  OF  %  > 

%  \ 

COMMUNICATIONS  ^ 
ARE  YOU  USING? 


one-X™  Deskphone  Edition.  the  following  productivity  gains  with 

Unleashing  the  power  of  the  one-X  Deskphone  Edition:* 

IP  telephony. 


Avaya,  the  global  leader  in  voice 
communications,  continues  to  lead  the 
way  in  Intelligent  Communications. 

The  one-X  Deskphone  Edition,  part  of 
our  one-X™  family  of  powerful  solutions, 
can  help  take  the  productivity  of  your 
business  to  a  whole  new  level.  It  is 
loaded  with  the  features  and  benefits 
you  told  us  you  wanted— high-fidelity 
sound,  an  intuitive  user  interface,  and 
enhanced  functionality  that  leads  to 
greatly  improved  productivity. 


33%  less  time  searching  for  call  contacts 
50%  less  time  playing  phone  tag 
50%  cost  savings  on  conferencing 


See  all  the  ways  the  one-X  Deskphone  Edition 
can  help  you  maximize  the  possibilities  of 
IP  telephony  and  give  your  business  a 
competitive  advantage. 


IP  Telephony 
Contact  Centers 
Mobility 
Services 


“See  it,”  “Hear  it,”  and  “Feel  it”  at: 

avaya.com/seeitnow 
Are  you  one-Xperienced?™ 


AVAyA 


‘Avaya  Productivity  Survey,  April  2006  (claims  based  on  survey  data,  not  actual  usage) 

©2006  Avaya  Inc.  All  Rights  Reserved.  Avaya,  the  Avaya  Logo,  and  all  trademarks  identified  by  ®,  and  TM  or  SM 
are  registered  trademarks,  trademarks,  or  service  marks  of  Avaya  Inc.,  and  may  be  registered  in  certain  jurisdictions. 


Cover  Story  |  Change  Management 


sonal  level  it  doesn’t  work,”  says  David  Roek,  founder  and 
CEO  of  Results  Coaching  Systems,  a  consultancy.  “Our  per¬ 
sonal  motivations  are  too  complex,  and  you  can  only  offer 
so  many  raises.” 

The  traditional  command-and-control  style  of  manage¬ 
ment  doesn’t  lead  to  permanent  changes  in  behavior  either. 
Ordering  people  to  change  and  then  telling  them  how  to 
do  it  fires  the  prefrontal  cortex’s  hair-trigger  connection  to 
the  amygdala.  “The  more  you  try  to  convince  people  that 
you’re  right  and  they’re  wrong,  the  more  they  push  back,” 
says  Rock.  Even  well-meaning  advice  quickly  raises  warn¬ 
ing  flags  in  the  prefrontal  cortex  that  it  is  soon  to  become 
overloaded  and  exhausted.  And  just  as  quickly  it  begins  to 
defend  itself.  “Our  brains  are  so  complex  that  it’s  rare  for  us 
to  be  able  to  see  any  situation  in  exactly  the  same  way,”  says 
Rock.  “So  when  we  get  advice  from  people,  we’re  always 
finding  ways  that  the  advice  doesn’t  match  up  with  our  own 
experience  or  expectations.” 


Not  Your  Change;  Their  Change 

he  way  to  get  past  the  prefrontal  cortex’s 
defenses  is  to  help  people  come  to  their 
own  resolution  regarding  the  concepts 
causing  their  prefrontal  cortex  to  bristle. 
These  moments  of  resolution  or  insight- 
call  them  epiphanies— appear  to  be  as  soothing  to  the  pre¬ 


frontal  cortex  as  the  unfamiliar  is  threatening. 

Just  look  at  a  person’s  face  during  one  of  these  moments 
and  you  can  see  that  something  positive  is  happening— 
though  scientists  aren’t  exactly  sure  what  it  is  yet.  “There 
isn’t  conclusive  evidence,  [but]  I  think  it’s  reasonable  to 
conclude  that  the  brain  has  some  kind  of  reward  mecha¬ 
nism  related  to  insight,”  says  Schwartz. 

Brain  scans  show  a  tremendous  amount  of  activity  dur¬ 
ing  moments  of  insight,  with  the  brain  busy  building  many 
new  and  complex  connections.  The  insights  don’t  have  to 
be  life-changing  to  have  a  pleasurable  effect,  either.  “The 
simple  insight  of  figuring  out  the  answer  to  12  across  in  the 
crossword  puzzle  is  enough  to  give  a  little  feeling  of  positive 
reinforcement,”  says  Schwartz. 

But  because  our  brains  are  so  complex  and  so  individ¬ 
ual,  generating  epiphanies  in  many  people  in  a  systematic 
way  is  difficult.  Patience  is  critical,  says  Rock.  “You  have  to 
paint  a  broad  picture  of  change  and  resist  the  urge  to  fill  in 
all  the  gaps  for  people,”  he  says.  “They  have  to  fill  them  in 
on  their  own.  If  you  get  too  detailed,  it  prevents  people  from 
making  the  connections  on  their  own.” 

Leaving  holes  in  any  plan  is  especially  hard  for  CIOs 
who  tend  to  be  ambitious  and  process-oriented— meaning 
they  have  thought  out  all  the  details  involved  in  a  strat¬ 
egy  or  systems  change  and  believe  they  know  all  the  steps 
required  to  get  there.  And,  in  general,  they’re  bursting  with 

the  need  to  tell  everyone  how, 
exactly,  to  do  it. 

“When  I  put  out  change 
proposals,  it’s  obvious  to  me 
why  we  should  be  changing, 
so  when  people  resist  I  tend  to 
get  more  aggressive  in  trying 
to  convince  them,”  says  Matt 
Miszewski,  CIO  of  the  state  of 
Wisconsin.  “But  we  lose  people 
in  that  situation.  The  more  we 
try  to  explain  things,  the  more 
dug  in  they  get.” 

Doing  the  thinking  for 
employees  takes  their  brains 
out  of  the  action.  And  when 
disengaged,  they  will  not  invest 
the  energy  necessary  to  make 
the  new  (and,  to  the  brain,  plea¬ 
surable)  connections  required 
to  change  behaviors.  Worse,  in 
that  situation,  they  may  instead 
focus  their  energy  on  the  nega¬ 
tive,  fearful  signals  broadcast 
by  the  amygdala— deepening 
and  reinforcing  their  resistance 
to  change. 


mmm 


62  SEPTEMBER  15,  2006  |  www.cio.com 


SERVICES  AND  SOFTWARE  ENTERPRISE  NETWORKING  AND  COMPUTING  SEMICONDUCTORS  IMAGING  AND  DISPLAYS 


Who  has  the  credentials  to 
check  the  credentials  of  13,000 
government  employees? 

With  NEC’s  fault  tolerant  servers  achieving  up  to  99.999% 
uptime,  only  those  authorized  to  access  your  building  will  gain 
access  to  your  building.  NEC’s  proven  track  record  as  a  global 
technologies  leader,  combined  with  30  years  of  research  and 
development  experience  in  the  security  technologies  field, 
offers  much-needed  assurance  in  today’s  increasingly  unsure 
times.  Continuous  security  monitoring  solutions.  It’s  one  more 
way  NEC  empowers  people  through  innovation. 

—  www.necus.com/security 


NEC  Express5800/ft  series  Server 


NEC 


©NEC  Corporation  2006.  NEC  and  the  NEC  logo  are  registered  trademarks  of 
f  EC  Corporation.  Empowered  by  Innovation  is  a  trademark  of  NEC  Corporation, 


Empowered  by  Innovation 


Cover  Story  Change  Ma 


"When  I  put  out  change  proposals ,  it 's 
obvious  to  me  why  we  should  be  changings 
»  so  when  people  resist  I  tend  to  get  more 

aggressive  in  trying  to  convince  them. 
But  the  more  we  try  to  explain  things, 
the  more  dug  in  they  get/ 


-Matt  Miszewski,  CiO  of  the  state  of  Wisconsin 


“Wherever  we  focus  our  brain’s  attention,  that’s  where 
we’re  making  and  reinforcing  connections,”  says  Schwartz. 
“If  our  attention  is  focused  on  negative  things,  those  are  the 
connections  that  will  be  made  and  strengthened.” 


development  because  they  had  had  input  into  the  decision 
from  the  beginning. 

The  Joy  of  Repetition 


How  Questions  Provide  Answers: 

A  Case  Studied 

(  1  n  trying  to  focus  people’s  attention  on  personal 

LJ 

insight  and  changing  their  behavior,  Rock  uses 
the  same  technique  that  psychoanalysts  have  used 
since  the  profession  began:  He  asks  questions. 
“When  you  ask  someone  questions,  you  are 
getting  them  to  focus  on  an  idea,”  he  says.  “When  you  pay 
more  attention  to  something,  you  make  more  connections 
in  the  brain.” 

Rock  also  says  that  asking  questions  gets  people  to  voice 
their  ideas.  And  according  to  the  brain  scans,  voicing  ideas 
creates  more  activity  and  connectivity  in  the  brain  than  hear¬ 
ing  an  idea  spoken  by  someone  else.  “The  best  way  to  get  peo¬ 
ple  to  change  is  to  lay  out  the  objective  in  basic  terms  and  then 
ask  them  how  they  would  go  about  getting  there,”  Rock  says. 

Richard  Toole  approached  the  question  of  offshoring- 
one  of  the  most  emotional  change  issues  in  IT  today— in 
just  this  way.  Toole,  who  is  CIO  for  PharMerica,  a  phar¬ 
macy  services  company,  says  that  when  he  joined  the  com¬ 
pany  two  years  ago  he  had  a  mandate  to  reduce  costs  and 
improve  the  productivity  of  his  application  development 
staff.  Outsourcing  and  offshoring  were  obvious  solutions, 
but  rather  than  mandate  them  from  the  beginning,  he  had 
a  series  of  meetings  with  his  staff  in  which  he  outlined  the 
business  goals  and  discussed  options  for  achieving  them. 
“We  asked  them  what  suggestions  they  had,”  he  recalls. 
“Every  one  of  them  came  up  with  outsourcing  as  some 
component  of  their  plan— even  some  who  were  opposed 
to  it.  You  could  say  we  were  being  manipulative,  but  we 
weren’t  because  even  though  the  cost  issue  was  pushing 
us  towards  outsourcing,  it  wasn’t  a  final  decision  at  that 
point.”  Toole  says  that  in  the  end  most  of  the  staff  was  more 
accepting  of  the  decision  to  offshore  some  of  PharMerica’s 


nee  people  have  had  that  initial  insight  or 
epiphany  that  change  is  necessary,  they  need 
to  repeat  the  experience  in  order  to  reinforce 
it  and  to  experience  the  potential  pleasure 
that  can  be  derived  from  it.  The  complex 
brain  connections  that  are  formed  during  the  epiphany  phase 
need  to  be  supported  to  begin  the  process  of  hard- wiring  the 
basal  ganglia.  Indeed,  when  Wisconsin’s  Miszewski  has 
been  successful  in  getting  agencies  to  accept  change— server 
consolidation  and  centralization,  for  example— it  has  been 
because  of  highly  repetitive  lobbying.  “That’s  why  politicians 
repeat  the  same  message  10  times,”  he  explains. 

“The  epiphany  is  the  catalyst  and  stimulus,  but  it’s  not  the 
whole  deal,”  says  Michael  Wakefield,  senior  enterprise  asso¬ 
ciate  at  the  Center  for  Creative  Leadership,  a  consultancy. 
“You  have  pathways  in  place,  and  they’re  simply  too  strong 
to  be  changed  in  a  single  moment.  You  need  to  be  able  to 
integrate  it  into  the  psychological  behavior  for  it  to  become 
part  of  a  new  pattern.”  Rock  says  reminding  people  of  their 
insights  and  continually  asking  them  about  the  actions  they 
decided  to  take  as  a  result  will  help  the  process  along.  If  they 
haven’t  taken  any  action,  ask  them  when  they  plan  to. 

It’s  also  important  to  know  that  there  are  always  going 
to  be  people  who  are  simply  incapable  of  changing  their 
behavior  in  a  particular  situation  for  reasons  that  are  too 
complex  and  personal  for  CIOs  to  resolve.  CIOs  are  not 
psychotherapists,  and  they  don’t  need  to  be.  Change  experts 
and  CIOs  offer  a  remarkably  consistent  picture  of  the  types 
of  reaction  to  change  and  the  percentages  of  people  who 
fall  into  each  category.  Roughly  20  percent  to  30  percent  of 
employees  are  change  gluttons— often  ambitious,  they  see 
change  as  a  path  to  happiness  and  success.  Another  20  per¬ 
cent  to  30  percent  cannot  view  change  as  anything  other 
than  a  threat  to  their  jobs  (and  they  may  be  right)  and  will 
resist  at  all  costs.  Finally,  about  50  percent  to  70  percent  are 


64  SEPTEMBER  15,  2006  |  www.cio.com 


NEC’s  integrated  IP  solutions  enable  the  complex  systems  of 
large  hotels  to  react  to  customers’  needs  like  small  boutique 
hotels,  providing  an  unexpected  level  of  personalized  guest 
service.  Utilizing  over  a  century  of  communications  experience, 
NEC  combines  advanced  computing  and  networking  technolo¬ 
gies  in  an  innovative  platform  that  offers  guest  service  solutions 
that  would  satisfy  the  most  discerning  traveler.  It’s  one  more 
way  NEC  empowers  people  through  innovation. 

—  www.necus.com/necip 


T  SERVICES  AND  SOFTWARE  ENTERPRISE  NETWORKING  AND 


COMPUTING  SEMICONDUCTORS  IMAGING  AND  DISPLAYS 


Empowered  by  Innovation 


ON  EC  Corporation  2006.  NEC  and  the  NEC  logo  are  registered  trademarks  of 
NEC  Corporation.  Empowered  by  innovation  is  a  trademark  of  NEC  Corporation. 


Cover  Story  |  Change  Management 


'"Anybody  can  stick  $2,000 in 
someone's  face  to  get  them  to  finish  a  job, 

but  it's  the  people  who  can  inspire  others  to 

«  Job  As  _ 

follow  them  that  are  the  most  successful  in 


the  long  run." 


-PharMerica  CIO  Richard  Toole 


skeptics— they  may  see  some  logic  in  the  case  for  change 
but  aren’t  convinced  it  will  benefit  them  personally.  “It’s  the 
SO  to  70  percent  you  need  to  focus  on,”  says  Rock. 

Not  Your  Motivation,  Theirs 

ne  of  the  biggest  mistakes  leaders  like  CIOs 
make  in  trying  to  win  over  the  skeptical 
middle  is  assuming  that  everyone  is  moti¬ 
vated  by  ambition— as  many  CIOs  are.  But 
many  people,  especially  IT  professionals, 
are  motivated  as  much  or  more  by  the  work  they  do  (the 
craft  of  software  development,  for  example)  as  they  are  by 
the  opportunity  to  move  up  in  the  hierarchy.  “There  are 
a  lot  of  people  who  don’t  want  to  be  king  or  queen,”  says 
Wakefield.  “That’s  difficult  for  people  to  reveal  because 
they  fear  their  bosses  will  start  to  question  their  courage 
and  commitment.”  If  these  people  don’t  see  an  opportu¬ 
nity  to  maintain  their  allegiance  to  the  work  they  love  as 
part  of  a  change,  they  won’t  see  the  benefit  of  going  along. 
They  will  remain  skeptical  or,  worse,  move  into  the  camp 
of  active  resisters. 

One  of  the  best  ways  to  bring  the  skeptics  around  is 
through  learning.  At  the  New  York  State  Workers’  Com¬ 
pensation  Board,  a  change  readiness  survey  of  employees 
at  the  beginning  of  an  effort  to  shift  compensation  cases  from 
paper  folders  to  electronic  files  found  that  employees’  num¬ 
ber-one  demand  was  for  training.  “They  wanted  reassur¬ 
ance  that  we  weren’t  going  to  ask  them  to  do  something  new 
without  giving  them  the  support  they 
needed  to  do  it,”  says  Nancy  Mulhol- 
land,  who  is  deputy  executive  director 
and  CIO  of  the  board. 

Information  sessions,  Q&As,  train¬ 
ing  courses  and  coaching  all  provide 
ways  for  people  to  get  those  epipha¬ 
nies  without  feeling  as  if  something  is 
being  forced  on  them.  “Learning  is  the 
antidote  to  change  resistance,”  says 
Wakefield.  “Learning  lets  you  reframe 
the  change  from  being  something  bad 
for  you  to  something  that  can  have 


value  for  you.” 

The  learning  environment  has  to  be  one  in  which  employ¬ 
ees  will  not  be  reprimanded  or  embarrassed  for  revealing 
their  discomfort  with  the  new  way  of  doing  things.  “You 
have  to  give  people  the  sense  that  feeling  uncomfortable  is  a 
normal  part  of  change  and  address  their  concerns  about  los¬ 
ing  face  because  of  their  lack  of  confidence  and  competence,” 
says  Wakefield.  One  of  the  ways  to  do  that  is  to  put  people 
together  who  share  a  similar  status  in  the  organization  and 
are  facing  a  similar  change  so  they  can  see  that  they’re  not 
alone— a  species  of  corporate  support  group.  When  groups 
are  too  threatening,  individual  coaching  can  help. 

The  Hard  Edge  of  the  Soft  Stuff 

hange  management  is  time-consuming  and 
hard  to  quantify  for  process-oriented  CIOs. 
But  avoiding  the  challenge  leads  to  failure. 
“Anybody  can  stick  $2,000  in  someone’s 
face  to  get  them  to  finish  a  job,  but  it’s  the 
people  who  can  inspire  others  to  follow  them  that  are  the 
most  successful  in  the  long  run,”  says  PharMerica’s  Toole. 
“The  soft  stuff  is  important.” 

But  inspiring  others  to  change  isn’t  a  matter  of  charisma 
or  charm,  say  the  experts.  It’s  finding  a  way  to  spark  those 
epiphanies. 

Sparks’s  latest  tactic  for  engaging  his  staff’s  prefrontal 
cortexes  was  to  bring  in  an  outside  consultant  to  discuss 
the  ITIL  program  and  to  field  concerns. 

“We  had  an  outstanding  instruc¬ 
tor,  and  she  was  able  to  address 
many  of  the  questions  people  had,” 
recalls  Sparks.  “I  could  begin  to  see 
the  lights  come  on  in  some  of  the 
[skeptics].  After  a  long  meeting,  one 
of  my  people  stood  up  and  said,  ‘You 
know,  we  should  have  started  work¬ 
ing  on  this  [automated  monitoring] 
six  months  ago.’”  QQ 


Send  feedback  to  Executive  Editor  Chris¬ 
topher  Koch  at  ckoch@cio.com. 


The  Hard  Stuff  Behind  the  Soft  Stuff 


»  For  more  information  about  THE  BRAIN’S 
CONNECTION  TO  CHANGE  AND  LEADERSHIP, 
read  an  article  by  consultant  David  Rock  and 
psychiatrist  Jeffrey  M.  Schwartz. 

»  Think  the  man  behind  hard-core  capitalism, 
Adam  Smith,  didn't  have  a  touchy-feely  side? 
Check  out  his  writings  about  THE  POWER 
OF  SELF-DETERMINATION  and  the  ‘  impartial 
spectator"  in  changing  human  behavior. 

Find  links  to  both  of  these  stories  at 
www.cio.com/091506. 

cio.com 


66  SEPTEMBER  15,  2006  |  www.cio.com 


I 


NEC  LCD  Display 


How  do  you  turn  a  captive  audience 
into  a  captivated  audience? 

What  does  it  take  to  engage  the  more  than  745  million  passengers 
who  will  be  traveling  via  air  this  year?  Over  a  century  of  com¬ 
munications  expertise  and  decades  of  experience  in  the  imaging 
and  software  industry.  As  a  leader  in  the  rapidly  expanding  digital 
signage  market,  NEC’s  high  resolution,  feature-rich  LCD  and 
plasma  displays  offer  airports  innovative  solutions  to  increase  both 
profitability  and  efficiency.  Maximized  viewing  capabilities.  It’s  one 
more  way  NEC  empowers  people  through  innovation. 


t—  www.necus.com/captivate 


IT  SERVICES  AND  SOFTWARE  ENTERPRISE  NETWORKING  AND  COMPUTING  SEMICONDUCTORS  IMAGING  AND  DISPLAYS 


©NEC  Corporation  2006.  NEC  and  the  NEC  logo  are  registered  trademarks  of 
NEC  Corporation.  Empowered  by  innovation  is  a  trademark  of  NEC  Corporation. 


Empowered  by  Innovation 


I 


WE  MADE  IT  MORE 
ENTERPRISE-ABLE 

am 


Your  Linux  is  ready.™ 

Introducing  SUSE®  Linux  Enterprise  10  from  Novell®.  Built  by  a  global  community  and 
secured,  supported,  tested  and  proven  by  Novell.  From  the  desktop  to  the  data  center,  SUSE  Linux 
Enterprise  10  is  the  Linux  platform  that  brings  discipline  to  open  and  innovation  to  the  enterprise. 

So  it’s  more  than  cool  and  secure.  It’s  the  Linux  you’ve  been  waiting  for. 

Get  it  at  www.novell.com/linux 


Novell. 

This  Is  Your  Open  Enterprise.™ 


Copyright  ©2006  Novell.  Inc.  All  rights  reserved.  Novell,  the  Novell  logo,  and  SUSE  are  registered  trademarks  and  This  Is  Your  Open  Enterprise,  Your  Linux  is  ready,  and  the  gecko  logo  are  trademarks  of  Novell,  Inc.  in  Ihe  United  States 
and  other  countries.  ’Linux  is  a  registered  trademark  ot  Linus  Torvalds.  All  third-party  trademarks  are  the  properly  of  their  respective  owners.  Novell  wishes  to  thank  the  thousands  ol  developers  who  contribute  to  Linux  every  day. 


"If  big  firms  had  embraced  the 
Internet  as  a  channel,  we  wouldn’t 
have  had  a  chance,"  says  E-Trade 

C 1 0  Greg  Framke . 


70  SEPTEMBER  15,  2006  |  www.cio.com 


1 


E-Commerce 


HOW  TO 
PUT  THE 


MONEY 


WHERE  THE 


MOUSE 


With  a  flexible 
IT  infrastructure, 
streamlined  business 
organization  and 
attention  to  customer 
convenience, 

E-Trade  is  modeling 
the  future  of 
Web-based  banking 


Suppose  you’re  sitting  on  a  little  cash. 

Should  you  put  some  in  a  CD?  Sock  it  away  in  a 
money  market  account?  Now  imagine  you  can  visit 
your  bank’s  website  to  figure  it  out.  Using  an  online 
tool,  you  can  move  the  money  around  and  exam¬ 
ine  how  your  earned  interest  and  rates  will  change, 
depending  on  where  you  put  it.  Colored  bar  charts 
representing  the  amount  of  interest  earned  in  a 
year  shift  up  and  down  depending  on  your  choices. 
When  you  decide  on  the  right  mix,  you  can  open  a 
new  account  with  a  few  key  strokes. 

One  might  assume  every  bank  would  offer  such  a 
tool,  but  few  provide  customers  with  anything  close. 
The  application  described  above,  called  the  “intelligent  cash  opti¬ 
mizer,”  was  introduced  last  year  by  E-Trade  Financial.  E-Trade 
was  given  up  for  dead  after  the  dotcom 
bust,  but  the  online  brokerage  resur¬ 
rected  itself  by  sharply  cutting  costs 
and  embarking  on  a  diversification 
plan  that  included  acquiring  a  Web- 
only  bank  and  linking  it  with  its  core 
trading  operations.  E-Trade’s  net 
interest  income,  a  significant  portion 
of  which  derives  from  its  banking 
operations,  accounted  for  51  percent 

of  its  revenue  in  2005.  Analysts  say  the  company’s  success 
derives  in  no  small  part  from  its  customer-friendly  services. 
The  company  reported  earnings  of  $1.7  billion  in  2005. 

And  E-Trade  is  giving  brick-and-mortar  banks  a  run  for  their 
money.  According  to  a  June  2006  study  by  the  Pew  Internet 


Reader  ROI 

::  The  challenges 
facing  online 
banking 

::  Why  E-Trade  has 
succeeded  as  a 
Web-based  bank 


BY  SUSANNAH  PATTON 


PHOTO  BY  LARRY  FORD 


www.cio.com  |  SEPTEMBER  15,  2006  71 


E-Commerce 


and  American  Life  Project,  43  percent  of 
Internet  users,  or  about  63  million  Ameri¬ 
can  adults,  now  bank  online.  And  a  survey 
released  early  this  year  by  IT  consultancy 
Keane  found  that  financial  institutions  con¬ 
sider  customer  satisfaction  with  online  ser¬ 
vices  key  to  their  revenue  growth  through 
cross-selling  of  products  to  existing  account 
holders.  Yet  many  banks  offer  little  more 
than  rudimentary  services  such  as  the  abil¬ 
ity  to  check  an  account  balance  or  pay  bills 
electronically. 

“Very  few  banks  don’t  realize  at  this  point 
that  online  banking  is  big  business,”  says 
Matt  Poepsel,  VP  of  application  management 
at  online  benchmarking  company  Gomez. 
“But  many  banks  are  still  finding  their  way.” 
Banks  need  to  offer  more  online  information 
and  advice  that  is  tailored  to  the  individual 
account  holder,  as  well  as  more  sophisti¬ 
cated,  easy-to-use  online  tools,  experts  say. 
However,  Keane  found  49  percent  of  banks 
surveyed  considered  their  technology  plat¬ 
forms  to  be  the  primary  obstacles  to  improv¬ 
ing  their  online  customer  experience. 

“At  some  level,  E-Trade  shouldn’t  exist,” 
says  the  company’s  CIO,  Greg  Framke.  “If  big 
firms  had  embraced  the  Internet  as  a  chan¬ 
nel,  we  wouldn’t  have  had  a  chance.”  Instead, 
industry  experts  point  to  E-Trade  as  a  model 
for  how  banks  should  run  their  online  opera¬ 
tions  and  prepare  to  serve  the  emerging  gen¬ 
eration  of  customers  raised  on  the  Internet. 

The  problem  for  most  traditional  banks 
is  that  they  have  grown  up  as  a  group  of 
autonomous  silos,  with  loan  departments 
working  separately  from  brokerage  and 
cash  divisions.  Many  have  also  built  their 
branch,  call  center  and  Internet  divisions 
as  separate  units  and  are  now  struggling  to 
provide  service  and  sales  across  all  chan¬ 
nels.  CIOs  at  these  banks  have  a  tough  time 
integrating  their  back-end  systems,  notes 
Rusty  Wiley,  global  banking  industry  leader 
for  IBM’s  business  consulting  services. 
“The  way  banks  have  built  their  channels 
independently  has  created  an  inconsistent 
user  experience  from  the  Internet  to  the  call 
center  and  the  branch.” 

Some  major  banks,  including  Wells  Fargo, 
Bank  of  America  and  Wachovia,  are  well 
on  their  way  to  integrating  systems  and 
offering  sophisticated  online  tools  (see  “Big 
Banks  That  Get  the  Web,”  this  page).  But 


BIG  BANKS  That  Get  the  Web 

Though  they  move  slowly,  some  traditional  banks  are 
making  progress  online 


Big,  traditional  banks  aren’t  all  online  laggards.  In  fact,  it  was  Wells  Fargo,  which 
had  revenue  of  $40  billion  in  2005,  that  opened  the  first  online  banking  site  in 
1995.  Since  then,  as  top  banks  have  worked  to  improve  their  online  offerings, 
Wells  Fargo  has  been  among  the  leaders,  boasting  a  steady  increase  in  the 
number  of  its  active  online  customers.  Most  recently,  they  have  rolled  out  My 
Spending  Report,  a  free  online  tool  that  lets  customers  review  and  analyze  their 
spending  patterns. 

Wells  Fargo  and  top  competitors  are  making  progress  in  providing  online 
customers  with  sophisticated  functions,  analysts  say,  but  are  still  not  quite  at 
the  level  of  online  only  banks  such  as  E-Trade  when  it  comes  to  pure  site  integra¬ 
tion.  For  example,  says  Forrester  Research  analyst  Brad  Strothkamp,  traditional 
banks  have  still  not  integrated  their  public  and  private  sites.  This  means  that 
when  an  existing  customer  is  logged  on  to  a  banking  session,  he'll  usually  have 
to  log  out  in  order  to  open  another  account  or  apply  for  a  loan.  Not  so  at  E-Trade. 

Leading  banks  are  working  to  improve  channel  integration,  however.  For 
example,  Wachovia  is  working  on  an  initiative  to  create  a  single  channel  for 
retail  customers  that  will  integrate  online,  branches  and  call  centers.  “All  the 
big  banks  are  trying  to  figure  out  how  to  pull  transaction  and  customer  informa¬ 
tion  from  legacy  systems,"  says  Rusty  Wiley,  global  banking  industry  leader  for 
IBM’s  business  consulting  services. 

To  create  My  Spending  Report,  Wells  Fargo  deployed  a  data  warehouse  from 
Teradata  to  store  its  customer  information,  then  used  it  to  create  reports  based 
on  that  information.  A  similar  tool,  Business  Spending  Report,  does  the  same 
for  small  businesses.  Jim  Smith,  EVP  of  the  Internet  Channel  &  Products  group 
at  Wells  Fargo,  says  the  3  million  customers  that  have  used  My  Spending  Report 
reflect  demand  from  online  banking  customers  for  analytical  tools  and  other 
functions  beyond  basic  transactions.  The  next  steps  include  providing  informa¬ 
tion  to  customers  on  their  wireless  devices. 

“Our  story  is,  pick  the  channel  you  want  and  we’ll  be  there  with  an  experi¬ 
ence  that  will  be  highly  convenient  for  you,”  says  Smith.  -S.P. 


■ 


“E-Trade  takes  it  to  the  next  level,”  says  Brad 
Strothkamp,  a  senior  analyst  with  Forrester 
Research.  “They  leave  no  stone  unturned  and 
[they]  sweat  the  details  when  it  comes  to  inte¬ 
grating  their  offerings  and  providing  more 
functionality.”  Here’s  how  they’ve  done  it. 

The  Right  Business  Model 

E-Trade’s  first  online  business  model  was  a 
bust.  After  the  stock  market  crash  of 2000, 
the  Internet  broker’s  stock  price  plunged 
from  more  than  $60  at  its  peak  to  less  than 
$3  in  2002,  while  the  company  lost  a  total  of 
$428  million.  Among  its  problems,  E-Trade 
had  a  bloated  staff  and  lacked  financial 


discipline,  as  did  many  dotcoms.  But  when 
Mitchell  Caplan,  now  E-Trade’s  CEO,  joined 
the  company  in  2000  as  its  chief  banking 
officer,  he  was  convinced  that  despite  the 
gloomy  mood  among  Internet  companies, 
E-Trade  had  a  future  as  an  online  bank. 
In  1989,  Caplan  had  founded  Telebank, 
a  savings  and  loan  that  had  no  physical 
branches.  Telebank  offered  banking  prod¬ 
ucts  and  services  via  a  toll-free  call  center 
and  later  online. 

E-Trade  bought  Telebank,  and  the  move 
was  seen  in  the  marketplace  as  an  early 
attempt  to  offer  brokerage  and  banking 
services  on  one  Continued  on  Page  76 


72  SEPTEMBER  15,  2006  |  www.cio.com 


BUSINESS  INTELLIGENCE 
LUNCH  AND  LEARN  SERIES 


Spend  a  few  hours  with  us  and 

GAIN  THOUSANDS  OF  HAPPY  USERS. 

Learn  how  to  turn  your  business 

INTELLIGENCE  INITIATIVES  INTO 
WIDELY  DEPLOYED  SUCCESS. 


HOUSTON 

NEW  YORK 

ATLANTA 

PUERTO  RICO 

TROY 

AUSTIN 

RICHMOND 

ADDISON 

JACKSONVILLE 

BIRMINGHAM 

MILWAUKEE 

JACKSON 

SALT  LAKE  CITY 

KNOXVILLE 

OKLAHOMA  CITY 

SAN  FRANCISCO 

TORONTO 

CINCINNATI 

PASADENA 

COLUMBUS 

OTTAWA 

WINNIPEG 

SAN  DIEGO 

PARSIPPANY 

RALEIGH 

QUEBEC  CITY 

CHARLOTTE 

DENVER 

PHILADELPHIA 

BATON  ROUGE 

PITTSBURGH 

VICTORIA 

WILMINGTON 

EDMONTON 

CALGARY 

MONTREAL 


AUGUST  17 
AUGUST  17 
AUGUST  22 
AUGUST  22 
AUGUST  23 
AUGUST  23 
AUGUST  24 
AUGUST  24 
AUGUST  29 
AUGUST  29 
AUGUST  29 
AUGUST  30 
AUGUST  30 
SEPTEMBER  7 
SEPTEMBER  7 
SEPTEMBER  12 
SEPTEMBER  12 
SEPTEMBER  13 
SEPTEMBER  13 
SEPTEMBER  14 
SEPTEMBER  14 
SEPTEMBER  19 
SEPTEMBER  19 
SEPTEMBER  20 
SEPTEMBER  20 
SEPTEMBER  21 
SEPTEMBER  21 
SEPTEMBER  22 
SEPTEMBER  26 
SEPTEMBER  26 
SEPTEMBER  27 
SEPTEMBER  27 
SEPTEMBER  28 
SEPTEMBER  28 
SEPTEMBER  29 
OCTOBER  4 


OU  NEED  Bl  WITH  A  HIGHER  IQ 


e  power  the  largest  business  intelligence  deployments  in  the  world.  All  of  your  employees  -  not 
.t  managers  and  analysts,  need  real-time  information  to  make  quick  and  informed  decisions. 
:ormation  Builders  pioneered  Operational  Bl  to  deliver  intelligence  to  both  people  and  business 
ocesses.  Our  superior  WebFOCUS  software  for  integration,  scalability,  usability  and  unparalleled 
iperience,  help  our  customers  save  millions  using  enterprise  Bl.  Learn  how  to  turn  your  business  into 
idely  deployed  success.  Register  today  at  1800. 969. INFO  or  visit  www.informationbuilders.com 


Information 

Builders 


The  Standard  for 
Enterprise 
Business 
Intelligence 


.  ■  t  f 


With  Conference  Moderator,  Jonathan  Zittrain,  Chair,  Internet 
Governance  &  Regulation,  University  of  Oxford,  the  fourth  annual 
CIO  1 07  conference  will  explore  the  forces  shaping  business  and 
impacting  your  IT  strategy;  from  global  economies  to  politics, 
sourcing  and  more. 


The  Year  Ahead 


Change  and  Growth 

November  5-7,  2006 

Wild  Horse  Pass  Resort  &  Spa 
Phoenix,  AZ 


Key  Speakers 

►  Chris  Anderson,  Editor-in-Chief,  Wired  magazine 

►  Jerry  Bartlett,  CIO,  TD  Ameritrade 

►  Lev  Gonick,  Vice  President  Information  Technology  Services  &  CIO,  Case  Western  Reserve  University 

►  Vince  Kellen,  Vice  President  Information  Services,  DePaul  University 

►  Richard  Thomas,  Vice  President,  CTO,  Quintiles  Transnational  Corp. 


The  must  attend  event  for  CIOs  and  other  senior  IT  executives  planning  for  the  year  ahead! 

Key  Topics 

►  Polishing  the  Crystal  Ball:  Predictions  for  the  Economy 

►  Working  Better  Together:  Improving  Business-IT  Collaboration 

►  Preparing  for  Tomorrow's  Enterprise  Architecture 

►  Going  Green:  The  Role  of  IT 

►  Prospering  Despite  a  Workforce  Shortage 

Networking  Opportunities 

►  CIO  Executive  Council  Open  House 

►  Welcome  Reception 

►  Hospitalities 


Underwriter  Official  Hosts  Corporate  Sponsors 

*  cm9^gLbar..  <5 bmcsoftware  i  R  lse  4)  redhat.  BiackBerry.  ^  Symantec.  0consintry  rintejj 


- 


►  Conference  Agenda  Summary 


Sunday,  November  5,  2006 

8:00AM  -  1:30PM 
CIO  Golf  Tournament 

3:30PM  -  5:00PM 

Open  House,  Hosted  By  The  CIO  Executive  Council 

5:00PM  -  6:00PM 
The  CIO  Quiz  Show 

6:00PM  -  7:00PM 
Welcome  Reception 

7:00PM  -  9:00PM 
Sponsor  Hospitalities 

Monday,  November  6,  2006 

7:00AM  -  8:00AM 
Continental  And  Conversation 

8:00AM  -  8:15AM 
Welcome 

8:15AM  -  9:15AM 

Keynote:  Polishing  The  Crystal  Ball:  Predictions 
For  The  Economy 

9:15AM-  10:00AM 

How  The  Next  Generation  Views  And  Uses 
Technology 

10:00AM  -  10:30AM 

Mid-Morning  Refreshment  &  Conversation  Break 

10:40AM  -  11:45AM 
Technology  Breakout  Sessions 

11:55AM  -  12:40PM 

Confronting  Global  Demographics:  Prospering 
Despite  A  Workforce  Shortage 

12:45PM  -  2:10PM 
Lunch  Discussion  Groups 

2:15PM  -  3:00PM 

Working  Better  Together:  The  CEO-CIO  Partnership 
3:00PM  -  4:00PM 

Scenario  Planning  For  Disaster:  Interactive  Exercise, 
Part  1 

4:00PM  -  4:15PM 
Short  Break 


4:15PM  -  5:30PM 

Scenario  Planning  For  Disaster:  Interactive 
Exercise,  Part  2 

5:30PM  -  6:30PM 
Networking  Reception 

6:30PM  -  9:30PM 
Sponsor  Hospitalities 

Tuesday,  November  7,  2006 

7:15AM  -  8:15AM 
Continental  And  Conversation 

8:15AM  -  8:30AM 
Welcome  Back 

8:30AM  -  9:30AM 

Keynote:  Changing  Your  Business  Model: 

The  Message  Of  “The  Long  Tail” 

9:30AM  -  10:15AM 

When  CIO  Also  Means  Chief  Innovation  Officer 

10:15AM  -  10:45AM 
Mid-Morning  Break 

10:45AM  -  11:15AM 
Technology  Breakout  Sessions 

11:25AM  -  12:05PM 

Demographics  And  Technology  Interactive 
Breakout  Sessions 

12:10PM  -  12:50PM 

Demographic  And  Technology  Interactive 
Breakout  Sessions 

12:55PM  -  2:15PM 
Lunch  Discussion  Groups 

2:20PM  -  3:05PM 

Forum:  Preparing  For  Tomorrow’s  Enterprise 
Architecture 

3:05PM  -  3:50PM 

Keynote:  Privacy:  The  Road  Ahead 

3:50PM  -  4:00PM 
Closing  Remarks 


To  learn  more,  visit  www.cio.com/cio07_2006 

Register  before  October  6  to  save  $300  off  the  regular  rate!  No  special 
code  required.  CIO  event  alumni  may  register  with  the  alumni  rate*  to 
save  $400.  Use  promotion  code  ALUMNI. 


♦Based  on  verification  only. 


E-Commerce  Continued  from  Page  72 


' 


site.  With  the  subsequent  crash,  however, 
enthusiasm  among  investors  for  such 
online  integration  quickly  faded.  Caplan 
persisted,  however,  and  his  bet  seems  to 
have  paid  off.  Banking  helped  E-Trade 
return  to  profitability.  The  company  now 
boasts  748,950  bank  accounts— seven 


times  the  number  of  accounts  it  acquired 
from  Telebank. 

As  a  bank,  E-Trade  is  still  relatively 
small.  (Wells  Fargo,  in  contrast,  has  7.9 
million  active  online  consumer  custom¬ 
ers,  who  account  for  59  percent  of  its  con¬ 
sumer  checking  accounts.)  But  Caplan  and 


At  the  core  of  E-Trade’s  technology 
strategy  is  a  SIMPLE  IDEA: 

It  should  be  easy  for  customers 
to  open  accounts  and  easy 
to  manage  them. 


By  integrating  systems,  E-Trade 
can  offer  online  customers  the 
same  experience  no  matter  which 
products  or  services  they 
use,  says  CEO  Mitchell  Caplan. 


Framke  attribute  E-Trade’s  success  in 
a  competitive  marketplace  to  the  com¬ 
pany’s  use  of  open-source  technology 
(for  example,  Linux  on  Intel  serv¬ 
ers,  serving  webpages  with  Apache 
and  its  supplement,  Tomcat)  and  its 
early  adoption  of  a  services-based 
approach  to  software  development. 
When  E-Trade  built  its  technology 
infrastructure,  says  Framke,  service- 
oriented  architecture  was  a  “prom¬ 
ising  building  block”  for  providing 
transaction  processing.  It  suited 
E-Trade’s  business  model— which 
emphasized  convenience  for  custom¬ 
ers— because  it  allows  the  company, 
by  reusing  software  services,  to  pro¬ 
vide  the  same  experience  to  account 
holders  whether  they  are  checking  a 
balance  or  applying  for  a  loan. 

“There  was  something  compelling 
between  what  we  wanted  to  provide 
our  customers  and  this  emerging 
technology,”  Framke  says. 

Total  Integration 

At  the  core  of  E-Trade’s  technology 
strategy  is  a  simple  idea:  that  it  should  be 
easy  and  appealing  for  customers  to  open 
accounts  with  E-Trade,  and  once  they  do, 
it  should  be  easy  for  them  to  manage  these 
accounts  without  having  to  log  in  to  mul¬ 
tiple  systems. 

“It  shouldn’t  matter  where  you  are  or 
what  kinds  of  accounts  or  products  you 
have,”  says  Caplan.  “You  want  the  [online] 
experience  to  be  the  same.  That  kind  of  ser¬ 
vice  requires  integrated  systems.”  This  is  a 
goal  that  many  banks  are  striving  for  right 
now,  but  E-Trade  is  well  on  its  way  to  achiev¬ 
ing  it.  For  example,  the  company  provides 
customers  with  a  single  sign-on  for  access¬ 
ing  all  their  accounts  during  a  banking 
session.  In  early  2005,  E-Trade  launched 
E-Trade  Complete,  a  tool  that  allows  cus¬ 
tomers  to  get  a  single  view  of  their  cash  and 
investments  on  one  screen.  Conceptually, 


76  SEPTEMBER  15,  2006  |  www.cio.com 


PHOTO  BY  MARK  ROBERT  HALPER 


PLAYER 


Global  companies  have  teams  everywhere. 

To  help  them  share  ideas,  Xerox  multifunction  systems 
and  software  put  everyone  on  the  same  playing  field. 

There’s  a  new  way  to  look  at  it. 


Running  a  global  company  requires  secure  worldwide 
information  sharing.  Luckily,  Xerox  has  a  solution  for 
everyone  on  your  team.  Using  Xerox  multifunction 
systems  and  Xerox  DocuShare®  software,  documents 
can  be  securely  scanned  to  the  Web.  This  way  people 
throughout  your  global  network  can  share  them.  This 


xerox.com/office/team 
1-800-ASK-XEROX  ext.  753 


keeps  documents  current,  can  eliminate  warehousing 
needs  by  70%  and  can  reduce  order  fulfillment  time  by 
80%.  Whatever  Xerox  WorkCentre®  multifunction  system 
you  choose,  you’ll  reduce  costs  by  printing,  copying, 
scanning  and  faxing  from  one  convenient  network  device. 
Now  that’s  a  game  plan.  To  learn  more,  contact  us  today. 

XEROX. 

Technology  Document  Management  Consulting  Services 


©  2005  Xerox  Corporation.  All  rights  reserved.  XEROX*  WorkCentre* DocuShare*  and  There's  a  new  way  to  look  at  it*  are  trademarks  of  Xerox  Corporation  in  the  United  States  and/or  other  countries. 


E-Commerce 


it’s  similar  to  an  online  dashboard,  and  it’s 
possible  because  E-Trade  uses  Web  ser¬ 
vices  to  knit  together  customer  data  from 
multiple  back-office  systems  enabling  the 
systems  that  support  checking  accounts 
and  investment  accounts  to  use  the  same 
customer  information. 

Building  on  the  E-Trade  Complete 
function,  the  company  introduced  the 
Intelligent  Cash  Optimizer  later  in  2005, 
followed  by  similar  tools  to  help  custom¬ 
ers  find  loans  and  fine-tune  their  invest¬ 
ment  strategies.  All  of  these  tools  reflect 
E-Trade’s  focus  on  integrating  services  to 
create  a  smoother  customer  experience. 
For  example,  the  company  repurposed  a 
feature  that  allowed  customers  to  trans¬ 
fer  money  in  and  out  of  cash  or  checking 
accounts  in  order  to  enable  QuickTransfer, 


which  allows  transfers  in  and  out  of  any 
other  account,  too.  “The  key  is  to  bring 
together  everything  to  allow  customers  to 
navigate  between  different  types  of  prod¬ 
ucts  and  see  for  themselves  if  they  want  to 
save  more  money  or  make  more  interest  on 
their  cash,”  Framke  says. 

Traditional  banks,  on  the  other  hand, 
“are  bogged  down  by  legacy  systems,” 
observes  Framke,  who  has  also  worked 
for  investment  banks  Morgan  Stanley  and 
Deutsche  Bank.  The  older  banks  have  sep¬ 
arate  systems  for  processing  loans,  man¬ 
aging  cash  and  purchasing  investments, 
and  online  customers  often  have  to  toggle 
between  applications  in  order  to  conduct 
transactions.  Experts  agree  that  the  type 
of  application  and  data  integration  that 
allows  customers  access  to  different  prod¬ 


ucts  from  a  single  interface  will  help  other 
banks  develop  their  online  offerings.  Most 
large  banks  are  working  on  this  problem, 
but  integrating  multiple  applications  and 
merging  customer  information  into  one 
database  is  not  an  easy  task.  “Getting  the 
holistic  view  of  a  customer’s  assets,  liabil¬ 
ities  and  balances  is  not  easy  when  you 
have  silos,”  says  Peter  Nikonovich,  man¬ 
aging  director  at  BearingPoint. 

Banish  Bureaucracy 

Most  banks  got  started  with  a  single  pur¬ 
pose.  They  were  either  retail  banks,  com¬ 
mercial  banks,  mortgage  companies  or 
credit  card  providers.  Then,  as  the  econ¬ 
omy  evolved  and  the  banks  grew,  they 
added  new  lines  of  business.  Each  line  of 
business,  or  unit,  would  build  its  own  sys¬ 


tems,  thus  banking  became  an  industry  in 
which  most  large  firms  were  a  collection 
of  separate  silos.  Add  to  that  history  the 
recent  wave  of  bank  mergers,  and  most 
large  financial  firms  are  working  not  only 
with  a  complicated  set  of  systems  and  data¬ 
bases  that  don’t  talk  to  each  other,  but  with 
business  units  that  don’t  collaborate. 

By  contrast,  E-Trade— perhaps  because 
it  began  as  an  online-only  bank  and  is 
relatively  new— has  been  able  to  more  eas¬ 
ily  integrate  its  lines  of  business  just  as  it 
has  integrated  its  IT  applications.  Unlike 
traditional  banks,  E-Trade  does  not  have 
a  separate  Internet  division  and,  says 
Framke,  there  are  no  barriers  between  the 
company’s  trading,  lending  and  cash  man¬ 
agement  operations.  “All  retail  technology 
is  done  in  the  same  organization,”  Framke 


says.  “There  is  no  distinguishing  between 
brokerage,  lending  or  cash.” 

With  fewer  layers  of  bureaucracy  to 
wade  through,  E-Trade  executives  can 
make  quick  decisions  about  getting  new 
services  up  and  running.  For  example,  in 
2004,  Framke  gathered  with  Caplan  and 
other  top  E-Trade  executives  to  present  a 
plan  for  using  multifactor  authentication 
to  identify  customers.  At  the  time,  the  use 
of  at  least  two  types  of  authentication— 
generally  something  a  person  knows,  such 
as  a  password,  and  something  they  have, 
like  a  hardware  token— was  emerging  as 
a  safeguard  against  identity  theft.  Framke 
knew  customers  were  concerned  about 
online  security,  and  he  wanted  his  com¬ 
pany  to  respond  to  these  worries. 

After  Framke’s  presentation,  the  group 
decided  on  the  spot  to  move  forward  with 
the  plan,  which  involved  giving  tokens  from 
security  vendor  RSA  to  E-Trade  customers 
in  addition  to  a  user  name  and  password. 
That  type  of  nimble  decision  making  is  typi¬ 
cal  at  E-Trade,  where  in  contrast  to  practices 
at  most  large  banks,  Framke  oversees  all 
Internet  technology  and  plays  an  impor¬ 
tant  role  in  executive  decision  making.  That 
contrasts  with  some  larger  financial  com¬ 
panies  in  which  the  Internet  division  is  far 
removed  from  top  management  and  which, 
experts  say,  accounts  in  part  for  the  lack  of 
progress  deploying  multifactor  authentica¬ 
tion  by  the  industry  as  a  whole. 

Having  separate  channels  “makes  it 
easier  to  deal  with  customers  from  a  line 
of  business  perspective,”  says  Carter  Han¬ 
sen,  senior  VP  of  user  centered  design  at 
Wachovia’s  e-commerce  division.  “The 
challenge  is,  how  do  we  come  up  with  the 
best  customer-centered  recommendation 
in  the  online  channel  and  avoid  the  impulse 
to  do  what’s  best  for  the  line  of  business?” 

Listen  to  Customers 

The  challenge  for  banks,  then,  is  to  do 
what  customers  want,  even  if  it  seems 
counterintuitive.  The  more  tools  and 
functions  that  are  available  to  customers 
in  a  straightforward  way,  the  more  money 
they’ll  bring  to  the  bank.  That’s  the  les¬ 
son  E-Trade  learned  after  it  introduced 
QuickTransfer,  a  function  that  allows 
customers  to  transfer  funds  free  of  charge 


E-Trade  has  been  able  to  more  easily 
integrate  its  lines  of  business  just  as  it 
has  integrated  its  IT  applications 
because  UNLIKE  TRADITIONAL 
BANKS,  E-Trade  does  not  have  a 
separate  Internet  division. 


78  SEPTEMBER  15,  2006  |  www.cio.com 


n&ftw 


m 

1*1:1  lid 

»  Are  your  remote  and  branch  office  users  fightin’  mad  about  poor  application  performance? 

Don’t  get  frustrated,  get  Juniper  Networks’  award-winning  application  acceleration  solutions 
-  and  dramatically  improve  the  performance  of  your  web  site  and  networked  apps.  Then 
everyone  will  enjoy  a  dramatically  better  network  experience,  while  you  improve  productivity 
and  reduce  network  and  infrastructure  costs.  Visit  www.juniper.net/freetrial  for  your 
free  trial  and  customized  Network  Health  Report.  Quick,  Juniper  your  net. 


Juniper 

‘  ,oOt 


d 


Net 


1.888. JUNIPER 


E-Commerce 


between  accounts  within  E-Trade  or  out¬ 
side  the  company. 

“We  were  early  in  the  industry  to  open 
our  door,”  says  Framke,  noting  that  there 
was  some  initial  concern  that  customers 
would  use  the  transfer  function  to  take 
money  out  of  E-Trade.  However,  the  oppo¬ 
site  occurred.  According  to  company  data 


from  the  first  quarter  of  2005,  750,000 
customers  initiated  QuickTransfer  and  for 
every  $2  transferred  to  outside  accounts, 
$3  came  back  to  the  bank.  According  to 
Rob  Shenk,  senior  VP  of  retail  strategy  at 
E-Trade,  customers  adopted  QuickTrans¬ 
fer  because  it  provided  a  more  efficient  way 
than  traditional  wire  or  check  requests  to 
transfer  funds.  “It’s  also  a  statement  to  the 
customer  that  our  products  are  not  ‘roach 
motels,’  where  your  cash  is  trapped  within 
one  financial  institution,”  Shenk  says. 

According  to  an  equity  research  report 
on  E-Trade  issued  earlier  this  year  by  Keefe, 
Bruyette  &  Woods,  “it  appears  E-Trade  cus¬ 
tomers  are  choosing  to  place  more  cash  with 
the  company  rather  than  their  traditional 
bank  as  some  of  the  largest  contributors 
of  net  inflows  are  Bank  of  America,  Chase, 
Citibank  and  Wachovia.”  Shenk  says  this 
information  is  proof  that  customers  and 
their  cash  are  drawn  to  the  easy-to-use  and 
effective  functions  such  as  QuickTransfer. 

Adds  Framke,  “Our  bet  has  been  that  if 
we  give  our  customer  the  functionality  to 
see  what  they  are  making  and  to  move  their 
money  around  as  they  see  fit,  we  will  bring 
more  money  in.”  He  adds,  however,  that  it’s 
also  important  not  to  overwhelm  the  cus¬ 
tomer  with  too  many  options.  “You  need 


to  walk  the  line  between  offering  sophis¬ 
ticated  functionality  but  not  too  much,” 
he  adds.  For  example,  he  notes,  E-Trade 
would  rather  offer  fewer,  highly  effective 
functions  like  QuickTransfer  than  a  wider 
variety  of  more  run-of-the-mill  ones. 

Framke  cites  E-Trade’s  move  to  offer 
token-based  “multifactor”  authentication  as 


another  such  key  function.  When  the  com¬ 
pany  introduced  the  RSA  tokens  in  March 
2005,  it  was  the  first  financial  company  in 
the  United  States  to  offer  multifactor  authen¬ 
tication  to  U.S.-based  customers  (the  tech¬ 
nology  is  now  strongly  recommended  by 
banking  regulators).  E-Trade  customers  who 
choose  the  service  use  a  token  that  displays 
a  new  six-digit  number  every  minute.  The 
number  acts  as  an  extra,  onetime  password 
that  matches  with  an  identical  number  gen¬ 
erated  at  the  same  time  at  E-Trade’s  offices. 
Framke  won’t  specify  how  many  customers 
have  opted  to  use  the  security  tokens,  but 
says  E -Trade  is  pleased  with  the  adoption. 
“If  people  feel  secure,  they  tend  to  keep  more 
money  with  us,”  he  says.  E-Trade  did  not  pro¬ 
vide  data  to  back  up  this  claim,  but  Internet 
performance  monitoring  company  Keynote 
Systems  says  that  in  its  most  recent  survey  of 
prospective  customers  of  online  brokerages, 
E-Trade  was  ranked  as  a  top  performer  in 
privacy  and  security. 

Keep  Moving 

While  E-Trade’s  success  reflects  an  increas¬ 
ing  acceptance  of  online  banking,  traditional 
banks  and  their  branches  aren’t  going  away 
yet,  or  maybe  ever.  Some  customers  prefer 
talking  with  a  real  person  face-to-face  when 


making  important  financial  decisions.  Dot¬ 
com  banks  such  as  Wingspan  failed  because 
the  majority  of  customers  aren’t  yet  willing 
to  make  the  leap  to  doing  everything  online. 
Still  other  customers  are  concerned  that  their 
financial  information  may  not  remain  secure 
from  hackers  or  phishing  attacks.  These  fac¬ 
tors  present  a  challenge  to  E-Trade. 

In  acknowledgement  of  the  advantages 
that  brick-and-mortar  banks  still  have, 
E-Trade  has  opened  20  financial  centers  and 
plans  to  add  up  to  15  more.  The  company 
doesn’t  want  to  turn  itself  into  a  brick-and- 
mortar  bank,  but  rather  to  offer  some  face- 
to-face  advice  to  regular  online  customers  at 
the  sites,  which  will  be  located  in  areas  where 
most  customers  are  located,  says  Framke. 

Going  forward,  E-Trade  will  have  to  keep 
its  eye  on  its  competitors— both  online  and 
traditional  banks— in  order  to  stay  ahead. 
The  online  brokerages  “are  telling  us  [bank¬ 
ing  is]  extremely  competitive  and  they  need 
to  use  their  websites  to  draw  people  in,”  says 
Lance  Jones,  an  analyst  at  Keynote  Systems. 
Looking  ahead,  Framke  acknowledges  that 
the  competition  is  likely  to  remain  stiff.  “The 
challenge  remains  deploying  technology  that 
is  easy  to  use  yet  produces  meaningful  results 
for  the  customer  and  the  company,”  he  says. 
Framke  also  has  his  eye  on  new  Internet 
technologies  such  as  application  composites, 
or  mashups,  which  are  applications  created 
by  combining  multiple  services. 

And  even  though  E-Trade  is  beefing  up 
its  physical  presence,  the  company  knows 
it  will  remain  an  online  leader  only  if  it  can 
continue  to  come  up  with  tools,  such  as  the 
Intelligent  Cash  Optimizer  and  QuickTrans¬ 
fer,  that  are  effective,  easy  to  use  and  ahead 
of  the  pack.  Says  Framke:  “We  have  to  be 
ahead  of  the  technology  curve  as  new  Web 
services  technologies  emerge,  and  use  them 
in  a  way  that  is  unique  to  us.”  BE] 


Susannah  Patton  is  a  writer  based  in  California. 
Send  comments  about  this  story  to  Executive 
Editor  Elana  Varon  at  evaron@cio.com. 


Learn  More  About  E-Trade 


DOWNLOAD  the  Forrester  Research  report 
"The  Secret  to  E-Trade's  Cross-Sell  Success” 

at  www.cio.com/091506. 

cio.com 


Some  customers  prefer  talking  with 
a  REAL  PERSON  FACE-TO-FACE 
when  making  important  financial 
decisions.  So  E-Trade  has  opened 
20  financial  centers  and  plans  to  add 
up  to  15  more. 


80  SEPTEMBER  15,  2006  |  www.cio.com 


adam  McCauley 


ADVERTISING  SUPPLEMENT 


Privacy  and  competitive  advantage  drive  the 
push  for  new  security  products 

Innovating  for 

Improved 

Security 


AT  MICROSOFT,  TIGHT  INTEGRATION  OF 
SECURITY  WITH  PRODUCTS,  PROPER 
DEVELOPMENT  PROCESSES  AND  PROCEDURES, 
AND  FINDING  WAYS  TO  COOPERATE  WITH 
GOVERNMENT  AND  INDUSTRY  ALL  PLAY  INTO 
THE  SECURITY  INNOVATION  EQUATION. 


Security  may  be  most  often 
associated  with  preventing 
network  break-ins  and 
various  disruptions,  but  it  is 
also  an  enabler  of  some  of  the 
most  powerful  applications  of 
Internet  technology. 


It’s  now  common  for  companies  to  have  ex¬ 
tranets  that  enable  them  to  securely  conduct 
business  with  partners,  suppliers  and  custom¬ 
ers  over  the  Internet,  which  not  only  can  im¬ 
prove  service  but  also  dramatically  cut  the  cost 
of  doing  business. 

Online  banking  provides  perhaps  the  best 
example  of  how  security  technology  can  be  a 
business  enabler.  While  online  banking  was 
possible  even  in  the  pre-Internet  days,  it  required  a  modem 
connection  that  was  fairly  secure  but  not  very  user  friendly. 
Web  browsers  outfitted  with  Secure  Sockets  Layer  (SSL) 
encryption  technology  made  the  process  far  easier,  with  a 
reasonable  degree  of  security.  As  the  technology  continues 
to  evolve,  banks  tout  their  advanced  security  mechanisms 
as  a  competitive  advantage,  with  some  offering  smart  cards 
or  token-based  identity  schemes  to  woo  high-end  custom¬ 
ers  who  are  more  sensitive  to  risk. 

For  companies  to  use  security  technology  to  gain  a  com¬ 
petitive  edge,  vendors  must  first  come  up  with  innovative 
security  tools  for  customers  to  deploy.  That  innovation  can 
take  many  forms,  including  working  to  ensure  security  is 
integral  to  their  products,  coming  up  with  new  processes 
and  procedures  that  ensure  products  are  developed  with 
security  in  mind,  and  creating  management  tools  that  help 
customers  keep  their  environments  secure.  Innovation  can 
also  include  finding  ways  to  work  cooperatively  with  in¬ 
dustry  and  government  to  address  security  issues,  whether 
it’s  beating  back  viruses  or  helping  to  catch  and  prosecute 
cyber  criminals. 


ADVERTISING  SUPPLEMENT 


These  are  all  areas  to  which  Microsoft®  for  years  has 
been  devoting  significant  resources,  with  tangible  re¬ 
sults.  The  company’s  Trustworthy  Computing  Secure 
Development  Lifecycle  (SDL)  initiative  has  dramati¬ 
cally  reduced  the  number  of  vulnerabilities  in  Microsoft 
products.  At  the  same  time,  the  company  has  integrated 
various  advanced  security  technologies  into  client  and 
server  software,  from  public  key  infrastructure  (PKI)  to 
advanced  authentication  techniques,  while  delivering 
numerous  tools— many  of  them  based  on  Active  Direc¬ 
tory®  and  Group  Policy— to  make  it  simple  for  customers 
to  maintain  a  proper  security  posture.  And  Microsoft 
has  been  at  the  forefront  working  with  industry  and 
government  to  address  security  issues,  investing  $5  mil¬ 
lion  in  a  fund  used  to  reward  those  who  provide  infor¬ 
mation  leading  to  the  arrest  of  cyber  criminals. 

Of  course,  innovation  applies  to  products  as  well.  Mi¬ 
crosoft  has  made  significant  investments  in  developing 
and  acquiring  the  most 
advanced  technologies, 
resulting  in  products  such 
as  the  Rights  Management 
Services  (RMS)  document 
protection  technology, 
new  security  capabilities 
in  Visual  Studio®  2005  and 
free  tools  such  as  the  Secu¬ 
rity  Configuration  Wizard. 

The  Windows  Vista™  operating  system  will  further 
showcase  Microsoft’s  security  investments,  with  nu¬ 
merous  security  capabilities  tightly  integrated.  Internet 
Explorer®  7  will  also  feature  new  capabilities  that  great¬ 
ly  reduce  the  chances  of  an  attack  or  the  installation  of 
malicious  code  (see  sidebar,  next  page). 

Through  its  Microsoft  Forefront™  line  of  security 
products  for  business,  Microsoft  provides  greater  pro¬ 
tection  and  control  through  integration  with  existing 
IT  infrastructures  and  through  simplified  deploy¬ 
ment,  management,  and  analysis.  Microsoft  Forefront 
includes  Microsoft  Forefront  Client  Security  (formerly 
called  Microsoft  Client  Protection);  Microsoft  Fore¬ 
front  Security  for  Exchange  Server  (currently  called 
Microsoft  Antigen  for  Exchange);  Microsoft  Forefront 
Security  for  SharePoint®  (currently  called  Antigen  for 
SharePoint);  Microsoft  Forefront  Security  for  Office 
Communications  Server  (currently  called  Antigen  for 
Instant  Messaging);  and  Microsoft  Internet  Security 
and  Acceleration  (ISA)  Server  2006. 

The  security  innovations  in  Windows  Vista  are 
the  result  of  a  long-term,  focused  initiative  aimed  at 
helping  mitigate  the  most  vexing  security  challenges. 
While  Microsoft  competitors  may  drive  security  in 
some  components,  a  systematic  commitment  and 
methodology  lead  to  multiple  changes  that  add  up  to 
several  levels  of  protection. 

PROCESS  AND  KNOWLEDGE  SHARING 

Nowhere  is  the  effect  of  focused  process  on  software 
development  more  evident  than  in  Microsoft’s  SDL.  SQL 
Server  2005  has  had  fewer  vulnerabilities  (zero  so  far, 


more  than  eight  months  after  its  release),  compared  with 
previous  non-SDL  releases,  and  as  compared  with  data¬ 
bases  such  as  Oracle  lOg  or  MySQL.  Windows  Server® 
2003,  the  first  Microsoft  operating  system  release  de¬ 
veloped  under  large  portions  of  the  SDL  process,  has 
likewise  seen  far  fewer  security  bulletins  than  its  prede¬ 
cessor,  Windows®  2000.  In  the  first  year  after  its  release, 
Microsoft  issued  62  security  bulletins  for  Windows  2000 
that  by  today’s  standards  would  be  considered  “critical” 
or  “important.”  Windows  Server  2003  saw  only  24  in  the 
same  time  period,  a  significant  improvement. 

Microsoft  has  also  taken  some  of  the  lessons  learned 
in  its  internal  SDL  software  development  process 
and  applied  them  to  its  Visual  Studio  2005  software 
development  tool.  Enhancements  include  tools  that  help 
developers  analyze  their  code  for  errors  that  may  cause 
security  problems;  conduct  tests  to  detect  execution 
errors,  including  those  related  to  security;  and  prevent 

conditions  that  can 
result  in  buffer  overruns, 
which  account  for  a 
large  number  of  security 
vulnerabilities. 

Another  example  of 
Microsoft  passing  its  se¬ 
curity  experience  on  to 
customers  is  the  Security 
Configuration  Wizard, 
a  tool  that  makes  it  easy  to  configure  a  server  with  the 
optimum  security  profile  for  the  particular  role  it  will 
play.  Microsoft  had  security  experts  examine  servers 
playing  various  roles,  such  as  database  server,  Web  serv¬ 
er  and  file  server.  Their  advice  is  built  in  to  the  Security 
Configuration  Wizard,  which  quickly  tells  users  which 
services  are  unnecessary  in  a  given  server  role,  which 
ports  to  block  and  so  on. 

Microsoft’s  approach  reflects  years  of  work  on  devel¬ 
oping  and  integrating  its  directory  and  policy  manage¬ 
ment  tools.  At  the  core  is  Active  Directory,  which  pro¬ 
vides  a  central  repository  for  information  on  all  network 
users  and  infrastructure,  including  information  used  in 
identity  management.  Active  Directory  works  hand-in- 
hand  with  Group  Policy,  which  enables  IT  to  efficiently 
manage  groups  of  users  within  the  organization.  Group 
Policy  simplifies  the  process  of  applying  granular  secu¬ 
rity  policies  to  various  groups,  including  those  policies 
that  dictate  proper  system  configuration.  Microsoft 
Windows  Server  2003  also  includes  certificate  manage¬ 
ment  tools  that  allow  customers  to  apply  strong,  X.509- 
based  authentication  for  any  users  or  applications  that 
require  it. 

INTEGRATION  INNOVATION 

Innovation  also  comes  in  technology  developments  that 
are  central  to  security  products,  and  integration  is  often 
part  of  the  story. 

Microsoft  Windows  Rights  Management  Services  is 
one  example.  RMS  allows  users  to  safeguard  informa¬ 
tion,  including  Word  documents  and  e-mail,  by  defin¬ 
ing  which  recipients  can  open,  modify,  copy,  print  and 


The  security  innovations  in 
Windows  Vista  are  the  result  of 
a  long-term,  focused  initiative 
aimed  at  helping  mitigate  the 
most  vexing  security  challenges 


ADVERTISING  SUPPLEMENT 


A  SAFER  INTERNET  EXPLORER 

In  many  cases,  taking  away  all  but  the  most  essential  services  required  to 
effectively  run  a  given  application  can  enhance  security.  That,  in  a  nutshell, 
is  the  thinking  behind  the  forthcoming  Protected  Mode  technology  in  Micro¬ 
soft  Internet  Explorer  ?. 

Protected  Mode  works  with  security  features  in  Windows  Vista  to  signifi¬ 
cantly  reduce  an  attack’s  potential  to  destroy  or  modify  data  on  the  user’s 
machine  orto  install  malicious  code.  The  Windows  Vista  security  infrastruc¬ 
ture  allows  Protected  Mode  to  provide  Internet  Explorer  with  the  privileges 
needed  to  browse  the  Web,  but  withholds  privileges  needed  to  silently  install 
programs  or  modify  sensitive  system  data. 

Among  the  Windows  Vista  features  that  Internet  Explorer  ?  uses  to  pro¬ 
tect  users  are  User  Account  Control  (see  main  story)  and  a  new  feature  that 
applies  an  integrity  level  to  various  processes  and  objects.  Internet-facing 
programs  like  Internet  Explorer  run  at  a  low  integrity  level  because  they  may 
download  untrustworthy  content  from  unknown  sources.  By  contrast,  ap¬ 
plications  run  from  the  Start  menu  have  a  medium  integrity  level,  while  those 
run  with  administrator  permissions  have  a  high  integrity  level.  Low  integrity 
processes  can  only  write  to  folders,  files  and  registry  keys  that  have  like¬ 
wise  been  assigned  a  low  integrity  label. 

When  Internet  Explorer  is  running  in  Protected  Mode  it  is  restricted  to 
writingto  low  integrity  folders  such  as  the  temporary  Internet  files,  History, 
Cookies  and  Favorites— enabling  users  to  browse  the  web  but  blockingthe 
ability  of  malicious  code  to  execute  in  more  sensitive  folders. 


take  other  actions  with  it.  These  usage 
rights  stay  with  the  document  and  can 
be  automatically  applied  to  certain 
types  of  documents,  such  as  financial 
records,  according  to  company  policy. 

The  Swisscom  Group  found  the 
tight  integration  of  RMS  with  the 
Microsoft  Office  System  software 
gave  it  an  edge  over  competitors 
in  a  category  that  is  critical  for  all 
security  solutions:  usability.  The 
Swiss  telecommunications  company 
conducted  an  internal  audit  that 
showed  an  unacceptable  level  of  risk 
from  the  unprotected  storage  and 
transmission  of  information  within 
the  organization.  In  2004,  it  evaluated 
RMS  along  with  two  other  products 
that  used  password  protection 
with  secured  file-saving  and  e-mail 
security.  One  was  deemed  to  be  less 
effective  than  RMS,  while  the  other 
required  some  20  distinct  actions  in 
order  to  safeguard  a  document.  By 
contrast,  “Microsoft  RMS  allows  the 
easy  encryption  of  documents  in  a 
single  step,”  says  Adrian  Turtschi,  head  of  strategic  IT 
management  for  Swisscom. 

Usability  and  integration  are  at  the  heart  of  the 
advances  Microsoft  has  made  in  implementing  PKI. 
While  PKI  has  long  been  recognized  as  a  way  to  provide 
strong  authentication,  companies  for  years  struggled 
to  implement  it  because  of  the  complexity  involved  in 
rolling  out  the  various  components,  including  digital 
certificates,  a  certificate  authority  (CA)  to  issue  and 
vouch  for  the  authenticity  of  those  certificates,  and  an 
enrollment  system. 

All  that  changed  when  Microsoft  included  Certificate 
Services  in  Windows  Server  2003.  Certificate 
Services  is  a  complete  PKI  implementation,  including 
a  CA  and  auto-enrollment  capabilities.  A  role-based 
administration  feature  enables  organizations  to 
separate  responsibility  for  managing  and  maintaining 
the  CA,  such  as  by  allowing  managers  to  manage 
certificates  for  users  in  their  groups.  Auto-enrollment 
allows  certificates  to  be  issued  automatically  to 
computers  or  individual  users,  with  no  awareness 
required  on  the  part  of  the  user.  Active  Directory  is 
used  to  store  and  serve  the  X.509  certificates.  Here 
again,  integration  amounts  to  security  innovation. 

ON  THE  HORIZON:  VISTA 

Windows  Vista  will  further  build  on  the  Microsoft  secu¬ 
rity  story,  with  integration  again  taking  center  stage  in 
products  such  as  Windows  Defender. 

In  2004,  Microsoft  acquired  Giant  Company  Soft¬ 
ware  with  the  intention  of  offering  a  fee-based  anti-  . 
spyware  blocking  solution,  as  well  as  a  free  online  tool 
to  scan  and  remove  spyware  infections  for  customers 
who  did  not  want  to  pay  for  an  anti-spyware  blocking 


solution.  Microsoft  integrated  its  anti-spyware  solu¬ 
tion,  Windows  Defender,  into  Windows  Vista.  Windows 
Defender  helps  protect  against  and  remove  spyware,  ad¬ 
ware,  rootkits,  hots,  keystroke  loggers,  control  utilities 
and  some  other  forms  of  so-called  malware. 

NETWORKACCESS  PROTECTION 

Another  advanced  security  feature  that  will  be  built  into 
Windows  Vista  is  Network  Access  Protection  (NAP),  an 
extensible  platform  that  provides  an  infrastructure  and 
API  for  security  policy  enforcement.  NAP  lets  IT  admin¬ 
istrators  ensure  that  only  “healthy”  machines  connect 
to  their  network,  while  enabling  potentially  “unhealthy” 
machines  to  get  clean  before  they  gain  access.  Organiza¬ 
tions  can  establish  minimum  security  requirements  for 
their  clients,  such  as  up-to-date  antivirus  signatures  and 
current  software  updates. 

Although  the  NAP  client  for  Windows  Vista  is  includ¬ 
ed  in  the  operating  system,  Microsoft  will  also  release 
NAP  client  support  in  Windows  XP  SP2. 

BITLOCKER  DRIVE  ENCRYPTION 

One  of  Microsoft’s  top  customer  requests  regarding  se¬ 
curity  in  Windows  Vista  was  to  address  the  threat  of  data 
theft  or  exposure  on  computers  that  are  lost,  stolen  or 
decommissioned. 

In  response,  Microsoft  developed  BitLocker  Drive 
Encryption,  which  encrypts  the  entire  Windows  volume 
on  a  computer,  preventing  unauthorized  users  from 
accessing  data.  BitLocker  is  deployed  and  used  with 
little  effort,  and  it  enables  secure  and  easy  recovery  by 
an  authorized  administrator.  The  system  and  hardware 
integrity  are  checked  as  the  machine  boots  up,  and 
the  computer  will  not  boot  if  system  files  or  data  have 


ADVERTISING  SUPPLEMENT 


Get  more  online 


Windows  Vista  Security  and  Protection  Features  http://www.microsoft. 
com/technet/windowsvista/security/default.mspx 


The  Microsoft  Security  Response  Alliance  http://www.microsoft.com/ 
security/msra/default.mspx 


Security  Guidance  from  Microsoft  on  More  Than  a  Dozen  Topics  http:// 
www.microsoft.com/technet/security/topics/default.mspx 


Windows  Defender  http://www.microsoft.com/athome/security/spyware/ 
software/default.mspx 


Understanding  and  Working  in  Protected  Mode  Internet  Explorer  http:// 
msdn.microsoft. com/libra  ry/default.asp?url=/library/en-us/ietechcol/ 
dnwebgen/protectedmode.asp 


Swisscom  Group  RMS  Case  Study  https://members.microsoft.com/ 

customerevidence/search/EvidenceDetails.aspx?EvidencelD=13532&Lan 

guagelD=18cPFT=Microsoft%20Windows%20Server%202003&TaxlD=20106 


Microsoft  Forefront  http://www.microsoft.com/forefront/default.mspx 

been  tampered  with.  BitLocker  also  offers  the  option  to 
lock  the  normal  boot  process  until  the  user  supplies  a 
PIN  code  or  inserts  a  USB  flash  drive  that  contains  the 
appropriate  decryption  keys.  These  additional  security 
measures  provide  multifactor  authentication  and 
assurance  that  the  computer  will  not  boot  or  resume 
from  hibernation  until  the  correct  PIN  or  USB  flash 
drive  is  presented. 

USERACCOUNT CONTROL 

Another  innovative  development  to  be  included  in  Win¬ 
dows  Vista,  User  Account  Control  (UAC),  lets  adminis¬ 
trators  allows  users  to  conduct  routine  administrative 
tasks  that  pose  no  security  risk,  but  take  away  the  major¬ 
ity  of  administrative  privileges. 

UAC  strikes  a  balance  between  enabling  users  to 
perform  routine  administrative  tasks  on  their  own  and 
tightening  up  potentially  hazardous  administrative 
privileges.  It  also  makes  user  accounts  with  administra¬ 
tive  privileges  safer  by  limiting  access  to  sensitive  sys¬ 
tem  resources  and  functions  by  default,  and  by  prompt¬ 
ing  for  approval  when  performing  administrative  tasks 
that  require  additional  privileges. 

WINDOWSSERVICE  HARDENING 

That  same  concept  of  allowing  only  what  is  necessary 
and  denying  what  isn’t  is  carried  to  Windows  itself  in 
Windows  Vista.  Windows  services  represent  a  large 
percentage  of  the  overall  potential  attack  surface  in  Win¬ 
dows-meaning  the  quantity  of  overall  “always-on”  code 
and  the  privilege  level  of  that  code.  With  that  in  mind, 
Microsoft  is  introducing  Windows  Service  Hardening 
in  Windows  Vista  to  restrict  critical  Windows  services 
from  performing  abnormal  activities  in  the  file  system, 
registry,  network  or  other  resources  that  could  be  used  to 


allow  malware  to  install  itself  or  attack  other 
computers. 

Windows  Service  Hardening  limits  the 
potential  damage  in  the  unlikely  event  an 
attacker  identifies  and  exploits  a  vulner¬ 
able  service  by  preventing  the  service  from 
changing  important  configuration  settings 
or  infecting  other  computers  on  the  network. 
With  Windows  Service  Hardening,  what 
could  have  been  a  major  security  breach  can 
potentially  be  limited  to  a  minor  compromise. 


THE  INNOVATION  ADVANTAGE 

Innovation  makes  technology  more  effective 
and  simpler  to  use.  Think  about  the  first  mo¬ 
bile  phones— dictionary-size  boxes  that  typi¬ 
cally  had  to  be  tethered  to  your  car’s  cigarette 
lighter.  They  bear  little  resemblance  to  that 
sleek  device  that  fits  easily  in  your  pocket  and 
can  be  used  not  only  to  conduct  conversations 
but  to  surf  the  Web,  receive  text  messages  and 
take  pictures. 

Security  technology  is  seeing  the  same 
sort  of  innovation,  resulting  in  security 
products  that  are  not  only  highly  effective 
but  also  so  simple  to  use  that  in  some  cases  users 
are  unaware  of  their  existence.  That  is  the  result  of 
the  kind  of  tight  integration  that  Microsoft  brings, 
enabling  users  to  be  auto-enrolled  in  a  highly  secure 
PKI  environment  without  taking  any  specific  actions, 
and  have  sensitive  documents  automatically  encrypted. 
The  integration  story  will  only  get  stronger  with  the 
forthcoming  Windows  Vista  operating  system,  which 
will  ensure  user  machines  are  secure  before  they  log 
on  to  the  network  and  provide  numerous  capabilities  to 
keep  them  that  way.  Innovations  taking  place  behind 
the  scenes,  such  as  with  the  SDL  initiative,  likewise 
make  products  more  secure  by  reducing  the  number  of 
potential  vulnerabilities. 

In  a  highly  connected  world,  security  will  always  be 
a  concern.  But  the  security  innovations  in  Microsoft 
products  are  keeping  customers  one  step  ahead.  With 
less  time  spent  worrying  about  and  attending  to  secu¬ 
rity  issues,  IT  departments  have  more  time  to  spend  on 
strategic  endeavors,  and  client  machines  are  more  reli¬ 
able,  making  end  users  more  productive. 

Security  can  even  be  an  enabler  of  new  business  ini¬ 
tiatives.  Microsoft’s  PKI  implementation,  for  example, 
provides  a  way  to  authenticate  not  only  your  own  em¬ 
ployees  but  business  partners  too,  helping  you  open  up 
new  and  powerful  applications  to  them  on  your  own 
network.  From  manufacturers  sharing  supply  chain  in¬ 
formation  and  financial  institutions  conducting  online 
transactions,  to  health  care  providers  sending  sensitive 
information  to  physicians  for  remote  diagnoses,  the 
possibilities  are  nearly  endless. 

Microsoft 


business  is  one  of  the  most  important  yet  challenging  obligations 
of  the  CIO. 

Join  more  than  420  of  your  colleagues  in  the  CIO  Executive  Council 
who  are  collaborating  on  issues  most  important  to  the  CIO  community  — 
and  who  have  begun  to  change  the  perceptions  of  IT  across  the  globe. 

Get  started  by  downloading  complimentary  tools  that  are  helping  to  shape 
the  standards  of  how  to  best  market  IT  to  the  business,  including  the  new 

IT  Internal  Marketing  Study  template  and  the  IT  Value  Matrix. 

To  download  these  tools  and  other  content  created  by  CIO  Executive  Council 
members,  please  visit  www.cioexecutivecouncil.com/it_value. 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


The  CIO  Executive  Council  is  the  world's  first  professional  association  focused 
exclusively  on  the  CIO.  Founded  in  2004  by  the  readers  of  CIO  magazine,  Council 
members  are  committed  to  leveraging  the  individual  and  collective  strengths  of  the 
community  of  CIOs  to  advance  the  CIO  profession  and  its  role  in  driving  shareholder 
results  for  their  respective  organizations.  In  just  two  short  years  the  CIO  Executive 
Council  has  grown  to  more  than  420  CIOs  worldwide,  representing  executive  leadership 
in  organizations  with  approximately  $2  trillion  (USD)  in  annual  revenues. 

For  information  on  membership,  please  visit  www.cioexecutivecouncil.com. 


Founded  by 


Business 

Technology 

Leadership 


Security  Survey 


T 


Some  things  are  getting  better 
slowly— but  security  practices 
are  still  immature  and,  in 
some  cases,  regressing 


BY  ALLAN  HOLMES 


82  SEPTEMBER  15,  2006  |  www.cio.com 


Reader  ROI 


::  Why  compliance  with 
security  laws  and 
regulations  remains 
a  chimera 

::  Howto  mitigate  the 
risks  of  outsourcing 
to  India 

::  The  financial  services 
industry’s  best  prac¬ 
tices  for  security 


The  Executive  Summary 

When  it  comes  to  information  security,  the  reflection  you  see  in  your  morning  mirror  is  probably  not 
that  of  a  sharp,  confident,  professional  IT  executive.  Rather,  that  man  in  the  mirror  is  more  likely  to 
look  like  a  gangly,  awkward,  not-yet-to-be-fully-trusted  teenager. 

That’s  what  “The  Global  State 


Inside  the  Study 

“The  Global  State  of  Information  Security  2006,”  a  worldwide  study  by  CIO,  CSO  and 
PricewaterhouseCoopers,  was  conducted  online  from  April  5  to  May  22.  Readers  of 
CIO  and  CSO  and  clients  of  PricewaterhouseCoopers  from  around  the  globe  were 
invited  via  e-mail  to  take  the  survey.  The  results  shown  in  this  report  are  based  on  the 
responses  of  7,791  CEOs,  CFOs,  CIOs,  CSOs,  and  VPs  and  directors  of  IT  and  informa¬ 
tion  security  from  50  countries. 

The  margin  of  error  for  this  study  is  plus  or  minus  1%. 

The  study  represents  a  broad  range  of  industries  including  technology  (10%), 
education  (10%),  consulting  and  professional  services  (8%),  government  (8%), 
telecommunications  (6%),  and  financial  services  and  banking  (4%). 

Thirty-two  percent  of  respondents  reported  total  annual  sales  of  less  than 
$100  million,  14%  reported  sales  between  $100  million  and  $999.9  million,  17% 
said  their  annual  sales  exceeded  $1  billion,  17%  were  nonprofit  organizations,  and 
17%  didn’t  say. 

Job  titles  included  CIO,  CTO,  VP,  director  and  manager  of  IT  (22%),  information 
security  professional  (12%),  non-IT  executive  (12%),  other  IT  titles  (39%).  Fifteen 
percent  listed  "other”  or  did  not  answer  the  question. 


of  Information  Security  2006”  sur¬ 
vey  tells  us.  In  its  fourth  edition, 
this  largest-of-its-kind  survey  reveals 
that  global  information  executives, 
still  relatively  new  to  security’s  dis¬ 
ciplines,  are  learning  and  improving 
but  are  still  prone  to  risky  behav¬ 
iors— behaviors  that  could  have  dev¬ 
astating  consequences. 

The  study  by  CIO,  CSO  and  Pricewaterhouse¬ 
Coopers  (PwC),  with  7,791  respondents  in  SO 
countries,  indicates  that  an  increasing  number 
of  executives  (CEOs,  CFOs,  CIOs,  CSOs,  and  VPs 
and  directors  of  IT  and  information  security) 
across  all  industries  and  in  private-  and  pub¬ 
lic-sector  organizations  continue  to  make  incre¬ 
mental  improvements  in  deploying  information 
security  policies  and  technologies,  although  the 
rate  of  improvement  is  slower  than  in  previous 
years.  They’re  becoming  more  financially  independent,  with 
some  security  budgets  increasing  at  double-digit  rates.  And 
they  say  they’re  more  confident  in  their  level  of  security,  per¬ 
haps  because  their  networks  have  not  had  a  serious  virus  or 
worm  in  the  past  12  months. 

But  teenagers,  as  any  parent  knows,  live  in  the  moment  and 
have  an  ability  to  ignore  what  they  know  they  should  do  and  do 
what  they  know  they  shouldn’t.  The  survey  shows  us  that  most 
executives  with  security  responsibilities  have  made  little  or  no 


progress  in  implementing  strategic  security  measures  that  could 
have  prevented  many  of  the  security  mishaps  reported  this  year. 
Only  37  percent  of  respondents  said  they  have  an  overall  security 
strategy.  And  they’re  planning  to  focus  more  on  tactical  fixes  than 
on  strategic  initiatives,  ensuring  that  in  the  coming  year  they  will 
be  more  reactive  than  proactive. 

One  of  the  most  unsettling  findings  in  this  year’s  study  is  the 
sad  state  of  security  in  India,  by  a  wide  margin  the  world’s  pri¬ 
mary  locus  for  IT  outsourcing.  The  problem  is  less  with  the  out- 


www.cio.com  i  SEPTEMBER  15,  2006  83 


26% 


’03 


’04 


Integration  on  the  Rise 

We  have  some  integration  between 
physical  and  IT  security 


sourcing  companies  themselves  than 
with  the  dangerous  waters  they  swim  in. 

Many  respondents  from  India  admit  to 
not  adhering  to  the  most  routine  security 
practices.  The  problem  is  obvious,  but 
right  now  it’s  apparently  easier  to  ignore 
than  to  address. 

Harder  to  ignore  is  the  constant  news  of 
large  organizations  losing  laptops  packed 
with  unencrypted  personal  data  on  mil¬ 
lions  of  customers.  Every  year  we  report 
that  such  incidents  should  motivate  com¬ 
panies  to  tighten  security,  but  every  year 
the  survey  indicates  that’s  not  happening. 

Similarly,  even  after  Hurricane  Katrina, 
which  hit  the  Gulf  Coast  seven  months 
before  we  launched  our  survey,  a  major¬ 
ity  of  companies  still  did  not  have  a  busi¬ 
ness  continuity/disaster  recovery  plan  in 
place,  and  plans  to  complete  one  this  year 
have  become  less  important  to  security 
officials  than  in  2005. 

Complacency,  it  seems,  abounds. 

A  large  proportion  of  security  execs 
admitted  they’re  not  in  compliance  with 
regulations  that  specifically  dictate 
security  measures  their  organization 
must  undertake  or  risk  stiff  sanctions, 
up  to  and  including  prison  time  for 
executives.  Some  of  these  regulations— 
such  as  California’s  security  breach  law, 
the  Health  Insurance  Portability  and 
Accountability  Act  (HIPAA),  and  non- 
U.S.  laws  such  as  the  European  Union 
Data  Privacy  Directive— have  been 
around  for  years.  Is  this  an  example 
of  adolescent  rebellion,  or  are  security 
executives  finding  it  hard  to  obtain  the 
necessary  resources  to  comply? 

The  answer,  says  Mark  Lobel,  a  PwC 
advisory  partner  specializing  in  secu¬ 
rity,  is  neither,  actually.  The  information 
security  discipline  still  suffers  from  the 
fundamental  problem  of  making  a  busi¬ 
ness  value  case  for  security.  Security 

is  still  viewed  and  calculated  as  a  cost,  not  as  something  that 
could  add  strategic  value  and  therefore  translate  into  revenue 
or  even  savings. 

But  if  one  digs  into  the  results,  there  are  reasons  for  opti¬ 
mism.  There’s  evidence  that  organizations  that  comply  with 


The  Good  News 

Reporting  Gets  Aligned 

IT  and  physical  security  report  to  the 
same  executive  leader 


The  Bad  News 

C-Level  Security 
Appointments  Stall 

We  employ  a  CISO  or  CSO 


31% 


40% 


’05 


’06 


75% 


Best  Practices 

28%  said  they  align  security 
policies  with  business  objectives 
(up  from  25%  in  2004). 

20%  said  they  align  security 
spending  with  business  objectives 
(up  from  15%  in  2004). 

69%  of  organizations  said  they 
continuously  or  periodically  rank 
data  and  information  according 
to  the  level  of  risk  it  poses  to 
the  organization  if  it  were  to  be 
accessed  by  an  unauthorized  user. 

Money  Talks 

Security  spending  is  increasing  as  a 
percentage  of  the  overall  IT  budget 


17% 


’03 


’04 


'05 


’06 


iRQA  20%  22% 


CSO; 


15% 


20% - 21% 


’04 

’05 

’06 

Improvement  Slows 
or  Regresses 

2004 

2005 

2006 

Users  compliant 
with  security 
policies 

70% 

68% 

69% 

Have  an  overall 
information 
security  strategy 

56% 

37% 

37% 

Have  an  identity 

management 

strategy 

21% 

29% 

29% 

Have  a  business 
continuity/disaster 
recovery  plan 

54% 

55% 

50% 

Have  plan  to  report 
security  events  to 
partners/suppliers 

29% 

30% 

28% 

Use  intrusion 
detection  tools 

39% 

49% 

47% 

Encrypt  data  before 
transmission 

55% 

51% 

48% 

security  laws  are  more  likely  to  be 
integrating  and  aligning  security  with 
their  enterprise’s  business  strategy  and 
processes,  which  in  turn  reduces  the 
number  of  successful  attacks  and  the 
financial  losses  that  result  from  them. 
In  short,  security  can  create  value  if  it’s 
part  of  an  organization’s  business  plan 
and  if  the  executive  in  charge  is  part  of 
the  executive  team  making  those  stra¬ 
tegic  spending  and  policy  decisions. 

The  six  sections  that  follow  illustrate 
that  global  information  security  management  practices  are  var¬ 
ied  and,  with  a  few  notable  exceptions,  have  yet  to  mature.  New 
this  year,  we  have  posted  online  (at  www.cio.com/091506)  a  panel 
discussion  with  security  practitioners  and  experts  discuss¬ 
ing  the  survey  findings  and  offering  solutions  that  may  help 


84  SEPTEMBER  15,  2006  |  www.cio.com 


orange-business.com 


As  a  true  entrepreneur,  you  do  things  a  little  differently.  And  so  increase  your  chances 
for  success.  To  help  you  realize  your  full  potential  and  use  technology  to  break  down  barriers, 
Equant,  France  Telecom  and  Orange  have  joined  forces  under  Orange  Business  Services, 
opening  up  new  opportunities 


global  communications  mobility  secured  applications  outsourcing 


Business 

Services 


orange 


Security  Survey 


# 


information  executives  improve  the  security  of  their  organiza¬ 
tions.  The  data,  we  hope,  will  bolster  the  argument  for  a  more 
strategic  approach  to  security.  And  strategy— thinking  ahead, 
connecting  actions  to  their  consequences— is,  of  course,  a  sign 
of  maturity. 

Iff" 


I.  Growing  Up,  Slowly 

The  2006  survey  shows  that  a  few  more  companies  than  last 
year  are  thinking  about  security  strategically,  at  least  in  some 
areas.  A  larger  percentage  of  companies  are  aligning  security 
objectives  with  business  objectives  (20  percent  of  respondents 
said  they  align  all  security  spending  with  their  business  objec¬ 
tives,  up  from  15  percent  in  2004)  and  are  prioritizing 
data  sets  based  on  the  sensitivity  of  the  information 
contained  in  each  application.  They’re  then  protecting 
those  sets  with  the  appropriate  amount  of  security  (25 
percent  in  2006,  up  from  21  percent  in  2004). 

One  of  the  biggest  changes  from  last  year  is  that 
more  companies  are  integrating  physical  and  infor¬ 
mation  security.  The  percentage  of  organizations  that 
reported  having  some  form  of  integration  between 
physical  and  information  security  has  grown  rapidly, 
to  75  percent  in  2006  from  29  percent  in  2003.  A  simi¬ 
lar  spike  occurred  in  the  percentage  of  respondents 
saying  their  physical  and  information  security  chiefs 
report  to  the  same  executive  leader,  to  40  percent  from 
11  percent  in  2003. 

Why  is  that  important?  To  answer  that,  one  need 
look  no  further  than  the  daily  newspaper  stories  about 
lost  and  stolen  laptops  containing  private  customer 
information.  Just  ask  the  U.S.  Department  of  Veter¬ 
ans  Affairs  and  AIG,  both  of  which  were  involved  this 
spring  in  high-profile  cases  of  stolen  laptops.  With 
physical  and  information  security  combined,  fewer 
laptops  may  be  lost.  And  if  they  are  lost  or  stolen,  that 
combination  should  make  gaining  access  to  the  data 
stored  in  them  nearly  impossible.  “In  today’s  envi¬ 
ronment  of  IP-based  control  devices,  cameras  and 
other  security  sensors,  the  physical  aspect  is  becom¬ 
ing  more  and  more  of  an  IT  issue,”  says  Jason  Spaltro, 
executive  director  of  information  security  for  Sony 
Pictures  Entertainment. 

With  increasing  aggregation  and  integration  of  secu¬ 
rity  functions  comes  larger  security  budgets.  Almost 
half  of  the  survey  respondents  said  their  budgets  would 
increase  this  year,  with  more  than  one  out  of  five  saying 
the  rate  of  increase  would  be  in  the  double  digits.  That’s 

86  SEPTEMBER  15,  2006  |  www.cio.com 


a  faster  increase  than  the  overall  IT  budget.  More  security  execs 
are  being  granted  more  financial  autonomy  too.  That  signals  that 
security  heads  are  being  granted  more  responsibility,  a  key  ingre¬ 
dient  to  raising  security’s  strategic  profile  in  the  organization. 

However,  the  vast  majority  of  companies  worldwide— almost 
64  percent— still  have  not  created  C-level  security  positions  such 
as  chief  security  officer  or  chief  information  security  officer. 

Managing  security  strategically,  and  at  the  executive  level, 
may  make  sense  in  theory  but  is  increasingly  looking  like  a  moot 
point  in  the  boardroom.  “We  need  proof  strategic  security  plan¬ 
ning  works  to  convince  the  business  side  of  the  organization  to 
make  a  seat  for  it  at  the  executive  table,”  you  may  say. 

The  good  news  is  that  the  survey  contains  that  proof:  Organi¬ 
zations  that  reported  that  their  security  polices  and  spending  are 


MID-MARKET  SECURITY 


Size  Matters 

Smaller  companies  seem  to  suffer  less  from  attacks 


WHEN  IT  COMES  to  security, 
bigger  isn’t  always  better. 

Sure,  large  companies 
tend  to  have  more  strategic 
and  effective  security  opera¬ 
tions  than  smaller  companies, 
so  they  should  have  fewer 
breaches  and  less  negative 
fallout  from  attacks.  Right? 

Wrong.  Our  survey  found 
that  mid-market  companies 
(those  with  revenue  between 
$100  million  and  $1  billion) 
experienced  fewer  security 
breaches  than  their  larger  coun¬ 
terparts.  Nearly  30  percent  of 
midsize  companies  claimed 
their  security  measures  have 
never  been  compromised  com¬ 
pared  with  just  16  percent  of 
larger  enterprises. 

Bigger  companies  also 
have  less  of  a  handle  on  what’s 
happening  in  their  (larger) 
networks.  They’re  less  likely 
than  their  smaller  counterparts 


to  know  how  many  security 
breaches  they’ve  had  (42  per¬ 
cent  of  the  bigger  companies 
had  no  clue  versus  29  percent 
of  midsize  companies  and  16 
percent  of  the  small-market 
companies,  those  with  less  than 
$100  million  in  revenue). 

Bigger  budgets  and  more 
security  staff  also  make  no 
difference  when  it  comes  to 
recovering  from  an  attack.  The 
percentage  of  midsize  compa¬ 
nies  that  experienced  network 
downtime  lasting  more  than  a 
day  matches  the  figure  for  large 
companies:  about  10  percent. 

Finally,  midsize  companies 
have  a  slightly  clearer  picture 
of  the  losses  they  sustain  in 
an  attack.  Fifty-five  percent 
knew  the  extent  of  their  finan¬ 
cial  losses;  just  51  percent  of 
large  companies  could  make 
the  same  claim. 

Why  is  this  so?  Security 


aligned  with  their  business  processes  experienced  fewer  financial 
losses  and  less  network  downtime  than  those  that  did  not. 


India  lags  far  behind  the  rest  of  the  world  in  instituting  even  the 
most  basic  information  security  practices  and  tools.  With  the  sub- 
^v//icpnranent  claiming  status  as  the  outsourcing  partner  of  choice  for 
the  biggest  IT  powerhouses  in  the  world  (49  percent  of  all  offshore 
outsourcing  implementations  are  located  in  India,  with  up  to  90 
percent  of  worldwide  outsourcing  revenue  going  to  India,  accord¬ 
ing  to  Duke  University  and  Ciber/Archstone  Consulting),  these 


findings  should  be  a  source  of  considerable  concern. 

The  widespread  absence  of  even  the  most  routine  security  tools 
(patch  management,  content  filters  and  access  control  software) 
and  policies  (secure  disposal  of  hardware,  business  continuity 
plans,  setting  security  baselines  for  outside  business  partners) 
has  left  many  Indian  companies  vulnerable  to  serious  attack  and 
the  inevitable  financial  losses  that  follow.  Extortion,  fraud  and 
intellectual  property  theft  occurred  last  year  at  one  in  every  five 
or  six  Indian  companies— rates  that  are  double  and  even  quadru¬ 
ple  those  of  the  rest  of  the  world.  Nearly  one  in  three  Indian  orga¬ 
nizations  suffered  some  financial  loss  because  of  a  cyberattack 
last  year,  compared  with  one  out  of  five  worldwide  and  one  out  of 
eight  in  the  United  States.  “You  cannot  take  information  security 
for  granted  in  India,”  PwC’s  Lobel  warns. 


than  bigger  ones,  but  that  doesn’t  mean  they’re  better  at  security 


specialists  cite  two  factors 
to  explain  the  discrepancies 
between  the  actions  and  out¬ 
comes  of  the  big  guys  and  their 
smaller  counterparts. 

Larger  companies  most 
likely  sustain  more  cyberattack 
attempts  than  smaller  ones 
because  the  returns  to  the  evil¬ 
doer  are  greater  if  the  attack 
succeeds.  Big  companies  also 
tend  to  be  more  complex  and 
keeping  tabs  becomes  chal¬ 
lenging,  to  say  the  least.  But  the 
experts  say  the  gap  between 
mid-  and  large-market  compa¬ 
nies  might  have  been  even  wider 
if  the  larger  companies  had  not 
followed  more  strategic  security 
practices.  The  lesson  here  is 
that  midsize  companies  might 
reduce  the  number  of  security 
breaches  they  experience  (and 
the  damage  caused  by  them)  if 
they  did  the  same. 

-A.H. 


Tale  of  the  Tape 


Large  companies  may  have  larger 
security  budgets  and  staffs... 

Security  budget  more  than  $1  million 


Small 

Midsize 

Large 


4% 

19% 

38% 


More  than  11  employees  in  security  department 

Small _ 7% 

Midsize _ 11% 

Large  28% 


...and  follow  more  strategic 
security  practices... 


Sm. 

Mid. 

Lg- 

Employ  a  CISO 

14% 

22% 

42% 

Integrate  physical  and 
information  security 

32% 

37% 

47% 

Institute  an  overall 
security  strategy 

31% 

43% 

61% 

Conduct  periodic 
security  audits 

40% 

54% 

69% 

...and  have  more 
technology  in  place... 


Sm. 

Mid. 

Lg- 

Use  malicious  code 
detection  tools 

34% 

40% 

50% 

Use  patch 
management  tools 

32% 

37% 

47% 

Use  tools  to  find 
unauthorized 

20% 

26% 

38% 

devices 

Use  vulnerability 
scanning  tools 

26% 

30% 

46% 

...But  the  bigger  companies 
suffer  more  security  breaches... 

Percentage  saying  they  had  no  security  breaches 

Small  37% 


Midsize 

29% 

Large 

16% 

...and  bigger  losses. 

Percentage  saying  they  lost  more  than  $100,000 
due  to  cyberattacks 

Small 

3% 

Midsize 

7% 

Large 

12% 

www.cio.com  |  SEPTEMBER  15.  2006  87 


0# 


Troubles  in  India 

Because  security  practices  in  India  lag 
behind  the  rest  of  the  world... 


World 

U.S. 

India 

Conduct  penetration  tests 

32% 

42% 

26% 

Conduct  threat  vulnerability  tests 

40% 

47% 

33% 

Have  an  overall  security  strategy 

37% 

47% 

34% 

Half  of  users  not  aligned  with 
security  policies 

33% 

19% 

50% 

Dispose  of  hardware  securely 

38% 

49% 

26% 

Use  spyware/spam  detection  tools 

57% 

65% 

39% 

Use  encryption  tools 

43% 

56% 

40% 

Use  intrusion  detection  tools 

47% 

57% 

31% 

Use  intrusion  prevention  tools 

39% 

50% 

29% 

Use  network  security  tools 

58% 

68% 

42% 

Use  secure  remote  access 

56% 

62% 

35% 

Employ  user  passwords 

73% 

78% 

54% 

...its  companies  suffer  more  cybercrime... 

World 

U.S. 

India 

Extortion 

5% 

2% 

15% 

Fraud 

9% 

6% 

14% 

IP  theft 

12% 

8% 

20% 

Financial  losses 

19% 

14% 

29% 

...and  more  downtime. 

10%  of  Indian  organizations  experienced 
cyberattacks  that  shut  down  networks  for 
more  than  two  days.  The  U.S.  rate  was  5% 


Working  the  Problem 

Indian  companies  plan  to  deploy  the  following 
security  measures  in  the  next  year 


World 

U.S. 

India 

Employ  a  CISO/CSO 

20% 

15% 

37% 

Conduct  background  checks 

31% 

44% 

42% 

Monitor  audit  reports 

41% 

48% 

52% 

Conduct  employee  security 
awareness  training 

36% 

46% 

42% 

Protect  IP  and  data 

13% 

15% 

23% 

Deploy  ID  management  solutions 

19% 

25% 

24% 

While  the  survey  does  not  identify  companies  by  name,  and 
most  likely  does  not  represent  the  security  practices  and  levels 
of  the  popular  Indian  outsourcing  companies,  Lobel  suggests 
taking  a  cautious  tack  before  jumping  into  an  outsourcing  rela¬ 
tionship.  The  first  step  companies  should  take  when  consider¬ 
ing  outsourcing  work  to  India  is  to  verify  that  an  Indian-based 
unit’s  security  processes  and  policies  are  of  the  same  caliber 
as  its  U.S.  unit. 

Second,  Lobel  suggests  conducting  a  risk  assessment  of  the 
Indian  unit’s  security  practices.  Even  if  an  Indian  organization 
says  that  it  follows  a  familiar,  specific  security  practice,  don’t 
presume  the  organization  defines  the  practice  the  same  way 
that  you  do.  “Conducting  background  checks  may  mean  some¬ 
thing  entirely  different  in  India  than  it  does  here,”  Lobel  points 
out.  Find  out  exactly  what  the  practice  involves. 

Indian  security  officials  have  their  work  cut  out  for  them,  but 
they  do  say  they  plan  to  work  to  harden  information  security. 
Indian  organizations  lead  their  foreign  counterparts  (some¬ 
times  by  a  significant  amount)  in  deploying  new  security  mea¬ 
sures  and  policies.  And  they’re  not  just  tactical.  A  substantially 
larger  percentage  of  Indian  companies  (nearly  double  the  rate 
worldwide)  reported  plans  to  hire  a  C-level  security  executive 
this  year.  Whether  the  Indian  organizations  are  able  to  follow 
through  and  begin  to  reduce  the  security  gap  is  something  that 
show  up  in  the  2007  survey.  Stay  tuned. 


mm 


m 


III.  The  Strategy  Gap 

When  an  individual  thinks  he  doesn’t  have  enough  information 
on  which  to  base  decisions,  or  as  many  resources  as  he  believes 
he  needs  and,  for  the  most  part,  he’s  not  part  of  the  planning 
process,  what  does  he  do?  Typically,  he  falls  back  on  what  he 
knows  best.  For  information  security  executives,  that  means 
focusing  on  technology— on  tactics,  not  strategies. 

Perhaps  not  coincidentally,  this  year  executives  are  shifting 
from  more  strategic  security  practices  toward  more  traditional 
technology  practices  (compared  with  last  year’s  results).  In  2005, 
for  every  one  technology  item  on  the  security  executive’s  to-do 
list,  respondents  mentioned  four  process  fixes.  This  year,  that 
ratio  is  nearly  1-to-l.  In  all,  of  the  top  dozen  items  on  the  2006 
security  to-do  list,  seven  can  be  described  as  a  technological  fix. 
Among  the  top  five  are  some  of  the  more  routine  and  easy  secu¬ 
rity  measures,  including  data  backup,  network  firewalls,  appli¬ 
cation  firewalls  and  instituting  user  passwords.  That  explains 
why  the  percent  of  companies  reporting  they  have  an  overall 
strategic  plan  in  place  was  unchanged  at  37  percent. 

At  the  very  least,  some  of  the  shifts  are  perplexing.  Dropping 
from  the  top  spot  in  2005  to  fourth  place  this  year  is  the  devel- 


88  SEPTEMBER  15,  2006  |  www.cio.com 


“  " 


.  c!  =‘d  like  i  si □  ■  x  o 


Avaya,  a  global  leader  in  communication  software,  systems  and  services,  spun 
off  from  Lucent  with  a  legacy  IT  infrastructure  that,  while  efficient,  wasn’t  nimble 
enough  to  be  a  competitive  advantage.  HP  partnered  with  Avaya  to  implement 
IT  Service  Management  and  HP  OpenView,  effectively  re-deploying  existing 
technology  assets.  Today,  IT  spending  is  down  30%.  Millions  have  been  saved 
by  finding  unused  capacity.  And  Avaya  answers  whenever  opportunity  calls. 


HP  IT  Service  Management  |  HP  OpenView  software 


, ..  mu 


Dropping  from  the  top  priority  in  2005  to  fourth 

Business  continuity  plans,; 


opment  of  a  business  continuity  and  disaster  recovery  plan. 
That’s  a  surprising  result  given  Hurricane  Katrina’s  reminder 
of  the  importance  of  such  plans. 

But  news  coverage  about  disasters  and  security  breaches 
may  not  be  a  driver  for  security  investments.  Our  prediction 
that  last  year’s  10th  item  on  the  information  security  to-do 
list— spending  on  IP  protection— would  move  up  because  of  the 
sharp  increase  in  high-profile  identity  thefts  and  the  increase 
in  the  amount  of  digitized  content  (such  as  iTunes)  did  not 
occur.  IP  protection  didn’t  even  make  the  2006  top  10  list.  Even 
some  of  the  simpler  and  less  costly  strategic  security  practices 
dropped.  Conducting  employee  awareness  training  dropped 
from  second  to  a  tie  for  10th  on  the  priority  list. 

The  kicker  here  is  that  designing  an  overall  information  security 
strategy— fourth  on  the  list  last  year— didn’t  make  the  2006  list. 

What’s  happening?  Why  has  strategic  planning  for  secu¬ 
rity  become  an  afterthought?  One  answer  may  be  that  in  an 
information  vacuum  (information  security  executives  report 


that  they  are  unsure  of  their  budgets,  where  attacks  have  come 
from  and  where  they  will  find  people  with  the  skills  they  need), 
short-term  solutions  seem  more  prudent  than  long-range  ones. 
Sony’s  Spaltro  offers  a  more  fundamental  reason:  Information 
security  managers  have  what  he  calls  “dings”  coming  into  the 
job.  They  speak  geek.  Their  bosses  don’t.  “I  tend  to  open  meet¬ 
ings  with  executives  by  reminding  them  that  security  is  a  busi¬ 
ness  decision  and  everything  we  do  from  cameras  to  encryption 
to  information  classification  is  a  decision  that  the  business 
makes  to  protect  its  assets,  and  I  don’t  own  that  decision,”  Spal¬ 
tro  says.  “I’m  there  to  be  the  bridge  between  the  technology  and 
the  risk  that  they  face  and  help  them  to  make  decisions,  but  in 
the  end  it  is  really  for  them  to  tell  me  what  to  go  execute.” 

For  information  security  to  be  most  effective,  aligning  the 
technological  processes  with  the  organization’s  strategic  plan 
is  critical.  Companies  that  make  security  part  of  their  strategic 
plan,  Lobel  says,  have  fewer  breaches,  lower  financial  losses 
and  the  fewest  network  downtimes. 


Where  Are  Your  Priorities? 

Your  2005  To-Do  List,  Prioritized 

1.  Disaster  recovery/ 
business  continuity 

2.  Employee  awareness  programs 

3.  Data  backup 

4.  Overall  information  security 
strategy 

5.  Network  firewalls 

6.  Centralized  security 
information  management 
system 

7.  Periodic  security  audits 

8.  Monitor  employees 

9.  Monitor  security  reports 

10. Spending  on  intellectual 
property  protection 


Your  2006  To-Do  List,  Prioritized 

1.  Data  backup 

2.  Network  firewalls 

3.  Application  firewalls 

4.  Disaster  recovery/ 
business  continuity 

5.  User  passwords 

6.  Monitor  security  reports 

7.  Periodic  security  audits 

8.  Secure  remote  access 

9.  Spyware/adware/spam 
detection  tools 

10.  (tie)  Monitor  compliance  with 
security  policy 

Employee  awareness  programs 


IV.  Compliance— Time 
to  Get  Tough 

As  was  the  case  last  year,  a  surprising 
portion  of  survey  respondents  admitted 
that  they’re  not  in  compliance  with  the 
information  security  laws  and  regula¬ 
tions  that  govern  their  industries. 

That  includes  high-profile  laws  that 
have  been  on  the  books  for  years.  More 
than  one-quarter  of  U.S.  security  execs 
who  said  their  organizations  need  to  be 
compliant  with  HIPAA,  the  eight-year- 
old  law  that  requires  health-care  orga¬ 
nizations  to  protect  patient  information, 
admitted  that  they  are  not. 

Noncompliance  runs  broad  and  deep 
in  all  industries,  and  ignorance  of  appli¬ 
cable  law  is  a  big  factor.  Nearly  one  in  five 
U.S.  survey  respondents  said  they  should 
be  but  are  not  in  compliance  with  Cali¬ 
fornia’s  2002  security  breach  law,  which 
requires  companies  to  notify  individuals 
if  an  unauthorized  person  obtains  access 
to  their  private  information  (such  as  credit 
card  numbers).  But  only  22  percent  of  all 


Moving  from  the  Strategic  to  the  Tactical 

Ratio  of  technology  initiatives  to  process  initiatives 

2005  1:4  2006  1.5:1 


90  SEPTEMBER  15,  2006  |  www.cio.com 


place  this  year  is  the  development  of  disaster  recovery  and 
a  surprising  result  in  the  aftermath  of  Hurricane  Katrina. 


U.S.  respondents  said  the  law  applies  to  them.  However,  given 
that  the  law  applies  to  any  organization  that  has  even  one  Califor¬ 
nia  resident  as  a  customer,  student  or  client— more  than  one  in  10 
Americans— a  good  portion  of  the  78  percent  of  enterprises  that 
think  the  law  does  not  apply  to  them  are  likely  wrong. 

Similarly,  it  would  have  been  hard  over  the  past  four  years 
to  miss  the  requirements  of  such  laws 
as  Sarbanes-Oxley  and  Gramm-Leach- 
Bliley.  Still,  more  than  one-third  of  all 
U.S.  respondents  said  they  are  not  in 
compliance  with  Sarbanes-Oxley  even 
though  they  should  be,  and  more  than 
one  out  of  seven  said  they  were  not  com¬ 
pliant  with  Gramm-Leach-Bliley.  That’s 
a  slight  improvement  from  last  year,  but 
considering  the  stiff  criminal  penal¬ 
ties  of  not  complying,  many  executives 
seem  to  be  leaving  themselves  open  to 
lawsuits  and  possible  prison  terms  and 
exposing  their  enterprise  to  fines. 

And  this  is  not  simply  an  Ameri¬ 
can  phenomenon.  Half  of  Australian 
organizations  surveyed  admitted  to 
not  complying  with  their  country’s  pri¬ 
vacy  legislation.  Almost  a  third  of  U.K. 
respondents  said  they  do  not  comply 
with  their  country’s  eight-year-old  Data 
Protection  Act,  and  nearly  one-third  of 
stereotypically  law-abiding  Canadian 
organizations  do  not  comply  with  their 
nation’s  privacy  act. 

At  the  root  of  this  may  be  a  lack  of 
enforcement.  To  date,  the  cost  of  non- 
compliance  is  not  as  high  as  the  expense 
of  complying— the  price  of  labor,  hard¬ 
ware  and  software.  In  the  absence  of 
penalties,  security  executives  have  not 
been  able  to  mount  a  business  case  for 
compliance.  Add  to  that  the  fact  that 
despite  high-profile  security  breaches 
and  lost  laptops  over  the  past  year,  the 
actual  damages  and  ID  thefts  that  can  be 
directly  tied  to  the  incidents  are  small, 
says  Jim  Lewis,  director  of  the  Technol¬ 
ogy  and  Public  Policy  program  at  the 
Center  for  Strategic  &  International 


Rules?  What  Rules? 

U.S.  organizations 
still  ignoring  security 
and  privacy  laws... 

Percentage  of  U.S.  organizations 
admittingthey  need  to  be  in  compliance 
with  a  specific  law  but  are  not 

2005  2006 


California  security 
breach  notification 
law 

15% 

18% 

Sarbanes-Oxley 

38% 

35% 

HIPAA  (Health-care 
respondents  only) 

38% 

40% 

Gramm-Leach- 
Bliley  (Financial 
services  respon¬ 
dents  only) 

17% 

14% 

Other  state/local 
privacy  regulations 

10% 

29% 

Studies  in  Washington,  D.C.  “People  may  have  a  sense  that  they 
are  not  as  vulnerable  as  they  used  to  be,”  he  says,  and  so  not 
complying  with  laws  is  perceived  as  less  risky. 

If  security  is  to  improve,  security  laws  need  more  teeth.  And 
that  applies  to  an  organization’s  own  rules  as  well.  Survey 
respondents  reported  that  more  than  two-thirds  of  users  are 

compliant  with  their  organization’s 
security  policies,  a  statistic  that  has 
remained  unchanged  over  the  past 
three  “Global  State  of  Information 
Security”  surveys.  One  of  the  most 
critical  factors  for  reducing  network 
downtime  is  compliance  with  an  orga¬ 
nization’s  security  rules,  Lobel  points 
out,  but  that  requirement  isn’t  even  in 
control  objectives  for  information  and 
related  technology,  or  Cobit,  the  bible 
for  IT  governance. 

Lobel  suggests  organizations  assign 
penalties  for  not  complying  with  their 
own  security  policies.  But  make  sure, 
he  adds,  that  the  penalty  matches  the 
infraction.  “You  may  not  want  to  termi¬ 
nate  someone  who  puts  passwords  on 
yellow  sticky  notes,”  Lobel  says,  “but 


have  to  be  some  consequences.” 


...but  international  colleagues 
are  negligent  as  well. 

Percentage  of  non-U. S.  firms  admitting 
they  need  to  be  in  compliance  with  a 
specific  law  but  are  not 

2005  2006 


Australian  Privacy 
Legislation  (Australia 
respondents) 

48% 

50% 

CNIL  (France 
respondents) 

35% 

42% 

Data  Protection 

Act  of  1998  (U.K. 
respondents) 

24% 

31% 

European  Union  Data 
Privacy  Directive 
(Europe  respondents) 

45% 

45% 

Canadian  Privacy  Act 
(Canada  respondents) 

38% 

30% 

H 

V.  The  Best  and 
Brightest 

Last  year  we  highlighted  the  financial 
services  sector  as  possessing  the  best 
information  security  practices,  and  this 
year  that  industry  once  again  leads  all 
others  in  integrating  information  secu¬ 
rity  with  strategic  operations. 

Companies  in  the  financial  services 
sector— banks,  insurance  companies, 
investment  firms— are  more  likely  to 
employ  a  CSO  than  other  industries. 
Security  budgets  in  the  financial  sec¬ 
tor  are  typically  a  bigger  slice  of  the 
IT  budget  as  a  whole  and  increase  at  a 
faster  rate  than  in  other  sectors.  That 
may  be  because  financial  services  com- 


www.cio.com  |  SEPTEMBER  15,  2006  91 


You  may  not  want  to  terminate  someone  who 
puts  passwords  on  yellow  sticky  notes, 
but  there  have  to  be  some  consequences. 


panies  are  more  likely  to  link  security  policies  and  spending  to 
business  processes.  These  companies  are  proactive,  instituting 
formal  information  security  processes  such  as  log  file  monitoring 
and  periodic  penetration  tests.  More  of  their  employees  follow 
company  security  policies.  Not  surprising,  financial  services  com¬ 
panies  also  have  deployed  more  information  security  technology 
gadgets,  such  as  intrusion  detection  and  encryption  tools,  and 
identity  management  solutions. 

It’s  obvious,  therefore,  that  financial  services  organizations  are 
far  more  likely— almost  twice  as  likely,  in  fact— to  have  an  overall 
strategic  security  plan  in  place.  Consequently,  they  reported  fewer 
financial  losses,  less  network  downtime  and  fewer  incidents  of 


stolen  private  information  than  any  other  vertical. 

The  reason  for  all  this  is  also  obvious.  The  product  in  the 
financial  services  industry  is  money,  and  money  is  the  prime 
target  of  cybercriminals,  including  organized  crime,  insiders 
and  even  terrorists.  Protecting  the  money  is  the  industry’s  most 
critical  concern.  The  past  few  years  have  seen  a  sharp  increase 
in  cybercrime  (phishing,  identity  theft,  extortion  and  spyware, 
to  name  a  few).  Anytime  a  security  executive  can  demonstrate 
to  top  executives  that  investing  in  security  can  protect  and 
increase  shareholder  value,  he  will  be  more  likely  to  convince 
the  boardroom  to  make  that  investment  and  make  security  a 
strategic  part  of  the  organization. 

Financial  services  companies  are  more  likely  than 
enterprises  in  other  industries  to  use  ROI  to  measure 
the  effectiveness  of  security  investments  (29  percent 
versus  an  average  of  25  percent),  and  they  also  are  more 
likely  to  use  potential  impact  on  revenue  to  justify 
investments  (36  percent  versus  an  average  of  27  per¬ 
cent).  These  arguments  work.  More  financial  services 
companies  saw  a  double-digit  increase  in  their  2006 
security  budgets  than  those  in  any  other  sector. 

Regulation  plays  a  part  too.  The  financial  indus¬ 
try  must  adhere  to  the  most  stringent  information 
security  laws,  and  therefore  it  leads  other  industries 
in  following  proven,  strategic  information  security 
practices. 

Following  this  line  of  reasoning  about  regulatory 
compliance,  one  would  think  that  government,  health 
care  and  education— all  highly  regulated  and  entrusted 
with  securing  private  information— would  match  the 
financial  sector  in  instituting  strategic  security  prac¬ 
tices.  One  would,  however,  think  wrongly.  According 
to  the  survey,  government,  health  care  and  education, 
despite  their  responsibility  for  protecting  the  personal 
information  of  hundreds  of  millions  of  citizens,  patients 
and  students,  are  less  likely  than  finance  to  follow  the 
best  tactical  and  strategic  security  practices.  The  gov¬ 
ernment  and  health-care  sectors,  for  the  most  part,  lead 
other  sectors  in  following  and  instituting  information 
security  policies  and  moving  to  become  more  strategic. 
But  the  two  sectors  are  well  behind  financial  services. 
Only  42  percent  of  government  entities  report  having 
an  overall  security  strategy,  compared  with  56  percent 
in  the  financial  sector. 

The  education  sector  is  even  farther  behind  in 
developing,  following,  and  deploying  information 


Where  Do  You  Go  to  Find  Best  Practices?  Finance 

The  financial  services  sector  led  other 
industries  that  handle  sensitive  data... 


Total 

Finance 

Health 

Gov’t. 

Educ. 

Had  more  than  10%  increase 
in  2006  security  budget 

22% 

28% 

19% 

19% 

18% 

Employs  a  CPO 

16% 

27% 

36% 

19% 

10% 

Employs  a  CSO/CISO 

43% 

73% 

51% 

56% 

19% 

Outsources  vulnerability 
and  threat  assessments 

29% 

44% 

33% 

31% 

22% 

Conducts  third-party 
privacy  audits 

26% 

48% 

32% 

27% 

17% 

Aligns  security  spending 
with  business  objectives 

68% 

80% 

70% 

62% 

55% 

Partners/suppliers  to  com¬ 
ply  with  security  policies 

33% 

55% 

57% 

38% 

25% 

Encrypts  stored  data 

33% 

42% 

31% 

30% 

25% 

Justifies  security  invest¬ 
ments  by  law  or  regulation 

49% 

71% 

71% 

64% 

46% 

...which  means  it  suffered  fewer  successful 
cyberattacks  and  their  consequences. 

Total 

Finance 

Health 

Gov’t. 

Educ. 

Fewer  than  10  negative  secu¬ 
rity  events  in  past  year 

60% 

62% 

65% 

54% 

57% 

Attacks  from  e-mail  virus 

53% 

41% 

50% 

51% 

56% 

Incurred  no  downtime 
due  to  attacks 

32% 

49% 

39% 

33% 

26% 

Suffered  loss  or  damage 
to  internal  records 

30% 

17% 

22% 

31% 

34% 

92  SEPTEMBER  15.  2006  |  www.cio.com 


WWW.INFORMATICA.COM/CIO 


pc 


30%  OF  YOUR  DATA  IS  ON  THE  MAINFRAME. 

10%  IS  BEING  OUTSOURCED. 

80%  IS  OUTSIDE  YOUR  ERP  SYSTEM. 

ALL  OF  WHICH  IS  DELIVERING 

0%  BUSINESS  VALUE. 


Av/f ''-A', 


[  You  Need  Data  Integration] 


O  ver  eighty  percent  of  Fortune  100  companies  rely  on 
Informatica  to  solve  their  data  integration  problems.  Our 
open,  platform-neutral  architecture  enables  you  to  solve  the 
most  complex  data  integration  problems.  From  migrating  off 
your  legacy  systems,  to  consolidating  your  • . •  at  800-653-387 1 ,  or  visit  our  website, 

software  applications,  to  synchronizing  INFORMATICA*  www.informatica.com/ClO. 

The  Data  Integration  Company™ 


data  across  your  databases.  Using  Informatica,  you  can  derive 
the  most  business  value  from  all  your  data. 

With  more  than  2,300  customers  worldwide,  we  have  the 
track  record  to  best  address  your  data  integration  needs.  Call  us 


©  2006  Informatica  Corporation.  All  rights  reserved.  Informatica,  the  Informatica  logo,  and  The  Data  Integration  Company"  are  trademarks  or  registered  trademarks  of  Informatica  Corporation  in  the  U.S.  and  in  jurisdictions  throughout  the  world. 


security  practices  and  tools.  Educational  organizations  find 
themselves  in  this  position  even  after  highly  publicized  network 
break-ins,  including  those  at  San  Diego  State  University  and  most 
recently  at  Ohio  University,  which  exposed  students’  and  their 
families’  data,  including  home  addresses,  Social  Security  and 
credit  card  numbers,  and  tax  information. 

In  fact,  the  education  sector  suffers  more  negative  security 
events  (viruses  and  worms,  denial-of-service  attacks,  identity 
thefts,  unauthorized  entries  and  trafficking  in  illicit  data),  more 
network  downtime  and  more  downtime  that  lasts  for  many  days 
than  what  the  average  respondent  worldwide  experiences. 

And  the  security  future  doesn’t  look  bright  for  the  educational 
sector  either.  A  smaller  portion  of  educational  security  respon¬ 
dents  than  most  other  sectors  said  they  plan  to  hire  a  C-level 
security  leader,  conduct  background  checks  of  new  hires,  start 
checking  if  networks  are  compliant  with  security  policies, 
conduct  or  institute  employee  security  awareness  programs 
or  install  encryption  tools— just  to  name  a  few.  Educational 
organizations  are  sticking  to  more  mundane  and  tactical  secu¬ 
rity  fixes:  installing  firewalls,  backing  up  data  and  deploying 
network  security  tools.  It’s  relatively  easy  to  predict  that  the 
education  sector’s  security  outcomes  will  not  improve  signifi¬ 
cantly  in  2007. 

VI.  Dancing  in  the  Dark 

You  know  your  information  security  strategy  is  working  when 
the  number  of  successful  breaches  is  low,  the  amount  in  financial 
losses  is  negligible  and  network  downtime  is  kept  to  a  minimum. 
Unfortunately,  a  large  percentage  of  security  leaders  worldwide 
have  no  idea  if  their  security  plans  are  working  because  they 
don’t  know  any  of  these  numbers. 

From  2003  to  2005,  the  percentage  of  survey  respondents  say¬ 
ing  they  had  fewer  than  10  negative  information  security  incidents 
in  the  past  year  remained  steady.  But  this  year,  we  included  the 
option  to  answer  that  you  do  not  know  how  many  negative  secu¬ 
rity  incidents  occurred.  This  year,  nearly  one-third  of  respondents 
admitted  that  they  do  not  know  how  many  breaches  or  unauthor- 


Talking  About  Security 


What  do  the  experts  think  of  the  results  of  The  Global  State  of 
Information  Security  2006?  Washington  Bureau  Chief  Allan  Holmes 
asked  them.  This  no-holds-barred  roundtable  discussion  features  Ernie 
Hayden,  CISO  for  the  Port  of  Seattle;  Jason  Spaltro,  executive  director  of 
information  security  at  Sony  Pictures  Entertainment;  and  Jim  Lewis,  direc¬ 
tor  of  the  Technology  and  Public  Policy  program  at  the  Center  for  Strategic 
&  International  Studies.  Find  the  podcast  at  www.cio. com/091506. 


ized  access  events  occurred 
within  their  organizations. 

To  a  certain  extent,  that’s 
understandable.  Attacks 
can  be  hard  to  identify,  and 
networks  can  be  extensive. 
What’s  less  comprehensible 
is  that  a  significant  portion  of 
respondents  said  they  have 
not  installed  some  of  the 
most  rudimentary  network 
safeguards.  Only  one-third 
of  respondents  have  put  in 
place  patch  management 
tools  or  monitor  user  activity. 
Less  than  half  use  intrusion 
detection  software  or  monitor 
log  files  (the  two  best  methods 
organizations  can  employ  to  detect  breaches)  and  even  fewer  use 
intrusion  prevention  tools.  Surprisingly,  more  than  20  percent  of 
respondents  don’t  even  have  a  network  firewall. 

Installing  a  firewall  is  easy.  If  a  significant  number  of  respon¬ 
dents  haven’t  even  done  that  much,  it  shouldn’t  be  surprising 
that  many  more  are  struggling  with  the  hard  stuff.  It’s  hard 
to  quantify  attacks  and  what’s  lost  because  of  them.  First,  just 
understanding  what  constitutes  an  incident  can  be  confusing. 
“Is  having  spyware  on  your  computer  an  incident?”  Sony’s 
Spaltro  asks.  “Some  may  not  think  so,  but  we  treat  it  as  such.” 
Second,  the  ability  to  track,  record,  correlate  and  communicate 
up  the  executive  chain  is  lacking  in  most  organizations.  For  the 
fourth  consecutive  year,  there  was  an  increase  in  the  percentage 
of  respondents  throwing  their  hands  up  and  saying  they  have 
no  idea  how  much  money  their  companies  lost  due  to  attacks. 
It’s  now  up  to  50  percent. 

“How  do  you  calculate  the  loss  of  intellectual  property  or  the 
damage  to  a  corporate  reputation?”  Lobel  asks.  “Very  smart  peo¬ 
ple  have  a  hard  time  agreeing  on  the  value.” 

But  until  the  security  department  can  put  a  credible  dollar  fig¬ 
ure  on  what  the  company  is  losing  because  of  poor  security,  the 
boardroom  isn’t  going  to  listen  to  security  executives  asking  for 
more  money  to  spend  on  technology  or  on  skilled  security  work¬ 
ers  (cited  as  the  top  resources  needed  to  improve  security).  The 
CEO  wants  to  know  how  security  affects  shareholder  value.  But 
answering  that  would  require  a  strategic  overview  and,  as  we 
have  already  seen,  security  professionals,  by  and  large,  don’t  have 
one.  At  least,  not  this  year.  BE] 


What  You  Don’t 
Know  Can  Hurt  You 

29%  of  security  and 
senior  executives  do 
not  know  how  many 
negative  security 
events  they  had  in 
their  enterprise  in 
the  past  year... 

26%  do  not  know 
what  type  of  attacks 
occurred  or  how... 

and  50%  don’t  know 
how  much  money 
they  are  losing  due 
to  attacks. 


cio.com 


Send  feedback  to  Washington  Bureau  Chief  Allan  Holmes  at  aholmes@ 
cio.com. 


94  SEPTEMBER  15,  2006  |  www.cio.com 


BETTER  CONTROL  OF 
YOUR  INFORMATION 


SunGard  provides  uncommonly  strong  techniques  to 
keep  your  IT  systems  available.  You’re  always  in  control, 
with  a  broad  range  of  hosting  and  recovery  services  at 
your  command.  You’re  always  confident,  because 
SunGard’s  extensive  redundancy,  highly  experienced 
people,  and  100%  recovery  success  rate  are  working 
in  your  favor. 

With  access  to  some  of  the  industry’s  most  extensive 
IT  resources,  you’re  able  to  achieve  precise  levels  of 
Information  Availability  across  the  enterprise.  Prioritize 


the  availability  of  each  critical  application — from  “always 
on”  to  fast  recovery — while  knowing  that  your  solution 
can  seamlessly  scale  as  your  business  evolves.  To  the 
exact  degree  you  demand.  At  the  exact  time  you  need  it. 

You  set  the  levels,  we’ll  do  the  rest.  SunGard  keeps 
you  in  control  with  a  more  precise  route  to 
Information  Availability. 

SUNGARD0  K7,in#  PeT'e 

and  Information 

Availability  Services  Connected ™ 


GET  THE  FACTS.  VISIT  WWW.AVAILABILITY.SUNGARD.COM/CONTROL  FOR  A  FREE  COPY 
OF  THE  BOOK  “MASTERING  INFORMATION  AVAILABILITY”  OR  CALL  US  AT  1-800-468-7483. 


Come  for  business  and  be  back 
home  for  dinner. 


Experience  all  the  many  benefits  that  companies  enjoy  in  operating  IT  Services  remotely  from  Mexico 


A  growing,  dynamic  and  evolving  IT  industry 
Improved  overall  cost  of  engagement 
Exceptional  location  for  remote  real-time  IT  engagements 
Less  time  away  from  home  and  office 
Outstanding  business  environment 


Welcome.  Now  the  solution  in  IT  Services  for  your  business  is  closer  than  ever. 


please  contact:  1-866-MEXIC-IT 


www.mexico-it.com 


Always  Near  Your  Business 


View  from  the  Top 


Dow  Chemical 

CEO  Andrew 
Liveris:  “IT 

went  from 
somethingthat 
was  viewed  as 
fairly  broken 
to  one  of  the 
strengths  of  our 
organization." 


Low-margin  industries— such 
as  chemicals— usually  don’t 
invest  heavily  in  IT.  But  Dow  does. 
Its  CEO  tel  Is  us  why. 


In  1996  the  Dow  Chemical  Co.,  which  at  $46  billion  in  annual  rev¬ 
enue  sits  comfortably  in  the  top  half  of  the  Fortune  100, 
set  a  series  of  ambitious  environmental,  health  and  safety 
goals— ranging  from  decreasing  leaks  and  emissions  to 
improving  overall  safety  performance— that  it  hoped  to 
attain  by  2005.  Dow  claims  that  it  reached  slightly  more 
than  half  its  goals,  and  it  credits  a  transformation  brought 
about  in  large  part  through  IT.  Over  that  time,  Dow  spent 
about  $700  million  on  IT  per  year,  leading  to  a  $2.3  billion 
increase  in  productivity. 

Recently  Dow  CEO  Andrew  Liveris  set  a  new  round  of 
goals,  which  he  hopes  the  company  can  reach  by  2015.  The 
goals  include  reducing  the  company’s  energy  consumption 
by  25  percent  and  achieving  at  least  three  breakthroughs 
in  the  areas  of  clean  water,  food  and  housing.  Once  again, 
Dow  is  depending  on  IT  to  lead  the  way. 

Liveris,  a  native  of  Darwin,  Australia,  has  been  with  the 
company  for  30  years.  A  self-proclaimed  Treo  addict,  Liv¬ 
eris  talked  to  CIO  about  how  his  company  has  changed  in 
the  course  of  the  past  decade,  how  it  will  change  during  the 


Formula  for 
Efficiency 


PHOTOGRAPHY  BY  ROY  RITCHIE 


www.cio.com 


IBER  15,  2006 


97 


View  from  the  Top 


next  one,  and  his  relationship  with  his  CIO,  Dave  Kepler. 

CIO:  Ten  years  ago  Dow  decided  to  reinvent  itself.  Can  you 
describe  that  transition  and  how  IT  enabled  it? 

Andrew  Liveris:  In  the  mid-1990s  we  changed  the  company’s 
corporate  model  from  [decentralized],  where  we  ran  as  six  geo¬ 
graphically  dispersed  units,  to  one  center  that  supported  all  the 
different  lines  of  business.  We  wanted  to  create  common  work 
processes  across  the  company,  and  that  made  us  to  look  at  our  IT 
architecture  for  the  first  time.  Up  until  that  time,  we  were  full  of 
legacy  systems.  We  were  fragmented.  Even  basic  communication 
between  the  geographic  units  was  difficult. 

It  took  us  several  years,  but  we  redesigned  our  work  processes 
and  put  in  place  a  common  platform— a  single  instance  of  SAP. 
During  that  transition  IT  went  from  something  that  was  viewed 
as  fairly  broken  to  one  of  the  strengths  of  our  organization. 

Dow  has  now  averaged  8  percent  year  on  year  productivity 
growth  for  10  straight  years.  We’ve  done  that  through  automation, 
through  greater  efficiency  of  our  human  capital,  better  organiza¬ 
tional  design  and  improved  tools  in  the  IT  space. 

Companies  in  low-margin  industries,  such  as  chemicals,  don’t 
usually  spend  a  lot  on  IT.  That’s  not  the  case  with  Dow.  Why  not? 

We  view  IT  as  an  enabler  of  our  strategic  and  global  business 
model,  and  therefore  we  feel  that  investing  in  IT  will  increase  pro¬ 
ductivity  and  lead  to  savings.  In  other  words,  we’ve  recognized 
that  IT  is  one  of  the  ways  to  get  out  of  the  low-margin  trap. 

One  of  the  things  we’ve  decided  is  that  different  lines  of  busi¬ 
ness  need  different  business  models.  For  example,  we  currently 
have  85  joint  ventures.  We’re  also  launching  new 
market-based  businesses  that  focus  on  specific  cus¬ 
tomers— Dow  Water  Solutions  is  an  example— as 
well  as  growing  through  acquisition.  All  these  busi¬ 
ness  models  have  to  have  the  same  back  end  when 
it  comes  to  IT  but  very  different  front  ends.  That’s 
something  we’ve  embraced  in  our  IT  design.  We 
need  to  leverage  the  back-end  systems  and  functions 
across  our  joint  ventures— in  manufacturing  plants, 
on  the  governance  side— in  order  to  keep  our  opera¬ 
tional  efficiency.  Investing  in  IT  allows  us  to  have  that 
while  enabling  these  different  business  models. 


Employees  42,413 
CIO  Dave  Kepler 

IT  employees  800 


Dave 
Kepler’s 

Take 

Dow  Chemical’s 
CIO  talks  about... 

Service-oriented 
architecture:  Before 
we  can  even  begin  to 
address  the  IT  infra¬ 
structure,  we  need  to  understand  the  strategic  plan  for  the 
company.  We’re  going  to  have  lots  of  different  business  mod¬ 
els,  and  at  the  same  time  we  want  to  promote  the  concept  of 
one  Dow.  So,  on  the  front  end,  near  the  customer,  we  have 
to  design  an  architecture  that  allows  us  to  be  flexible;  on  the 
back  end  we  want  to  be  highly  standardized.  So  by  the  time 
we  arrive  at  SOA  and  start  talking  about  consuming  software 
services,  it’s  already  well  grounded  in  a  business  plan. 

Alignment:  It  starts  with  a  vision  for  IT,  and  that  vision  has  to 
be  relevant  to  the  corporate  strategy.  You  also  have  to  be  hon¬ 
est  with  yourself  about  what  your  IT  department’s  strengths 
and  weaknesses  are  and  how  good  a  job  you  are  doing.  Once 
you’ve  done  that,  you  have  to  be  willing  to  commit  to  what 
you’re  going  to  change,  what  risks  you’re 
going  to  take,  and  what  things  you  can 
do  early  on  to  demonstrate  that  you  are 
making  a  difference.  I  think  people  have 
a  tendency  to  try  to  sell  technology,  but 
really  the  CIO  needs  to  listen  for  the  busi¬ 
ness  problems.  If  I  had  to  sum  it  up  in  one 
sentence,  I  would  say  that  it’s  the  will  to 
understand  where  you  need  to  go  and  the 
willingness  to  take  the  risk  to  get  there,  all 
the  while  doing  it  in  a  transparent  way. 


Dow  Chemical 

Headquarters 

Midland,  Mich. 

Primary  business 

Plastics  and  specialty 
chemicals 

2005  revenue 

$46  billion 


Do  you  want  your  IT  department  to  be  cutting  edge? 

Absolutely.  Twelve  years  ago,  if  you  had  asked  me 
that  question,  I  would  have  thrown  up.  But  today 
we’re  cutting  edge.  We’re  a  preferred  customer  with 
all  the  big  name  vendors,  and  we’re  seen  as  the  quintessential  cli¬ 
ent.  We’re  at  a  point  in  the  Dow  world  that  if  I  get  tripped  out  of 
my  Treo  port  for  two  hours,  I  get  bummed. 

Have  you  ever  vetoed  one  of  CIO  Dave  Kepler’s  ideas? 

No,  not  on  my  shift  [as  CEO].  I  have  a  huge  comfort  level  that  all 
the  right  questions  have  been  asked  before  they  get  to  me.  Having 
said  that,  I  read  every  line  and  understand  the  parameters  of  every 


2005  IT  budget 

$600  million 


The  CEO/CIO  relationship:  Andrew 
[Liveris]  clearly  understands  that  technol¬ 
ogy  is  an  enabler,  and  he  also  understands 
the  complexity  of  running  an  organization 
like  ours  that  has  a  variety  of  business  mod¬ 
els.  He  doesn’t  worry  about  what  version  of  software  we  are 
running  on  but  is  more  concerned  with  the  processes  the  tech¬ 
nology  relates  to  and  the  change  management  that  goes  along 
with  it.  At  its  heart,  the  job  of  the  IT  department  is  to  deliver 
value  to  the  company,  and  our  CEO  sees  that.  Our  relationship 
is  about  making  the  company  successful.  I’m  one  of  the  corpo¬ 
rate  leaders  helping  him  do  that,  and  I  happen  to  be  the  CIO. 

-B.W. 


98  SEPTEMBER  15,  2006  I  www.cio.com 


Let  Internet  Security  Systems  stop 

network  threats  before  they  impact  your  business 


1  y 

Ul  LL 

IN 

CASE 

OF 

F 

IRE 

How  do  you  ensure  compliance  and  manage  costs  when  your  security  is  less  than  certain?  Even  "zero-day"  solutions  aren't  fast 
enough  to  protect  against  losses  once  an  Internet  attack  hits.  The  alternative  is  preemptive  security  from  Internet  Security  Systems. 
Because  our  enterprise  solutions  are  based  on  the  world's  most  advanced  vulnerability  research,  only  ISS  can  can  offer  preemptive 
security  and  stop  threats  before  they  impact  your  business.  So  why  rely  on  "reaction"  when  security  can  be  a  sure  thing? 


Need  proof?  Get  a  free  whitepaper,  Preemptive  Security:  Changing  the  Rules ,  at  www.iss.net/proof  or  call  800-776-2362. 


©Internet  |  Security  |  Systems® 

Ahead  of  the  threat. 


NETWORK  &  HOST  INTRUSION  PREVENTION 

©2006  Internet  Security  Systems  Incorporated.  All  rights  reserved  worldwide. 


MANAGED  SECURITY  SERVICES 


VULNERABILITY  MANAGEMENT 


View  from  the  Top 


“The  best  compliment  I  can  give  my  IT  depart¬ 
ment  is  what  I’ve  asked  Dave  Kepler  to  do 
above  and  beyond  being  CIO.  He  runs  all  the 
shared  services  in  the  company  except  human 
resources.  He’s  added  more  things  to  his  plate 
because  those  things  are  so  complementary  to 
the  notion  of  IT  being  an  enabler.”  -i 


-Dow  CEO  Andrew  Liveris 


proposal,  but  in  general  Dave  is  so  intimately  involved  in  our  cor¬ 
porate  strategy  that  from  my  point  of  view  he’s  completely  free. 

The  best  compliment  I  can  give  my  IT  department  is  what  I’ve 
asked  Dave  to  do  above  and  beyond  being  CIO.  He  runs  all  the 
shared  services  in  the  company  except  human  resources.  He’s 
added  more  things  to  his  plate  because  those  things  are  so  comple¬ 
mentary  to  the  notion  of  IT  being  an  enabler. 

I’ll  give  you  a  specific  example.  Three  years  ago,  we  were  looking 
to  expand  our  operation  in  China.  We  were  already  approaching 
$2  billion  in  revenue  there,  but  we  needed  to  increase  our  footprint 
and  actually  put  some  white-collar  human  resources  there.  Dave 
came  up  with  a  plan  for  how  to  integrate  the  IT  needs  of  an  Asia- 
Pacific  presence  with  the  corporate  needs  of  being  in  China  and 
actually  build  an  IT  center  based  in  China. 

This  wasn’t  labor-cost  driven.  It  was  knowledge  driven.  The 
notion  was  that  because  Chinese  universities  are  training  so  many 
engineers,  the  IT  world  would  be  a  great  entry  point  into  Dow. 
And  in  the  two  or  three  years  they’d  spend  in  IT  supporting  the 
Asia-Pacific  operations,  we  would  teach  them  the  Dow  culture  and 
how  to  operate  at  Dow.  In  time,  we’ll  leverage  these  people  into 
other  parts  of  Dow  besides  IT. 

But  you’re  the  person  responsible  for  the  decisions  that  get 
made  beneath  you.  How  do  you  set  limits  for  your  IT  group? 

How  do  you  decide  when  to  interject  yourself  into  decisions? 

You’re  speaking  to  ultimate  sign-off.  At  the  end  of  the  day,  it  is 
the  CEO’s  responsibility  to  increase  the  wealth  and  value  of  the 
enterprise  and  to  balance  short-term  versus  long-term  decisions. 
Most  of  the  decisions  in  the  IT  space  are  long  term,  and  therefore 
you  have  to  understand  both  the  level  of  risk  and  the  financials 
that  support  the  project. 

I  spend  lots  of  time  on  those  questions;  this  includes  presenta¬ 
tions  and  white  papers  and  how  a  project  maps  to  our  overall  stra¬ 
tegic  direction.  When  I  sign  off  there  is  also 
a  process  that  allows  Dave  to  understand 
the  accountability  that  comes  with  that 
sign-off.  For  example,  we  are  now  working 
on  designing  our  next  enterprise  architec¬ 
ture.  We’re  going  through  the  authoriza¬ 
tion  process,  which  is  being  reviewed  by 


my  team.  It’s  coming  to  me.  And  the  conversations  I’m  having  are 
about  making  sure  we  understand  the  risk-reward  trade-off  on 
value  for  the  enterprise. 

One  of  the  ways  that  risk  management  for  IT  has  changed  is  that 
the  [business]  cycles  are  so  short.  If  you  have  installed  systems 
that  you  can’t  get  out  of  for  10  years,  you’re  going  to  get  blown  by. 
So  you’ve  got  to  build  in  flexibility  and  adaptability.  I  think  that’s 
what  we’ve  built  here.  As  we  go  to  our  next-generation  activities, 
we’re  very  excited  because  we  can  do  them  in  modular  ways.  We 
aren’t  taking  full  frontal  risks,  so  to  speak. 

We’re  very  comfortable  with  that  approach.  And  I  would  say 
to  you  that,  as  a  science-based  enterprise,  what  we’re  ultimately 
selling  is  our  human  capital— our  proprietary  knowledge— and 
that  goes  hand  in  hand  with  how  we  manage  IT.  We  have  to  be 
on  the  cutting  edge  of  IT  so  that  we  can  take  the  lead  in  managing 
that  knowledge. 

You’ve  just  described  an  organization  that  is  very  much  in  flux. 
How  do  you  lead  in  this  environment? 

Leadership  of  this  kind— transformational  leadership— is  all 
about  change  management.  Change  management  requires  clarity 
of  vision  and  a  team  that  can  translate  that  vision  into  strategy. 
Then  you  empower  your  leaders  to  actually  put  their  strategy  into 
place.  The  IT  space  then  becomes  the  enabler  that  allows  us  to 
execute  better.  (For  more  on  change  management,  see  “The  New 
Science  of  Change,”  Page  54.) 

We  didn’t  become  productive  by  accident.  This  is  a  nearly  $50 
billion  company  with  42,000  people.  Ten  years  ago  we  had  more 
people  and  half  the  revenue.  There’s  no  model  out  there  for  what 
we’ve  done.  I  couldn’t  tell  you  how  many  companies  come  in  here 
trying  to  figure  out  how  we’re  doing  that.  It’s  change  management 
from  the  top:  a  leadership  model  that  absolutely,  totally  believes  in 
the  power  of  the  people  around  you.  You’ve  got  to  communicate, 

you’ve  got  to  engage,  and  you’ve  got  to  have 
goals  and  metrics  against  the  strategy.  These 
sorts  of  things  aren’t  specific  to  IT,  but  IT  is 
central  to  many  of  them.  QQ 


Senior  Writer  Ben  Worthen  can  be  reached  at 
bworthen@cio.com. 


Keeping  the  Momentum 


To  read  more  about  Dow's  plans  for  2015  and 
its  goals  for  sustainability,  find  the  link  to  its 
mission  statement,  "Our  Commitments,"  at 

www.cio.com/091506  _  _ 

cio.com 


100  SEPTEMBER  15,  2006  |  www.cio.com 


[10010 


Having  trouble  locating  orders? 


With  webMethods,  you’ll  improve  process  visibility  so  you  never  lose  a  sale 

What  if  your  order  booking  systems  and  processes  could  talk  to  you-in  real  time?  What  if  they 
could  help  you  avoid  delivery  delays,  prevent  missing  orders  and  help  you  deliver  on  promises 
to  customers?  Learn  how  by  watching,  "Achieving  the  Perfect  Order-to-Cash  Process” 
Webinar  series  at  www.webMethods.com/4DDEWebinar. 


webMethods. 

Get  There  Faster." 
www.  webMethods .  com 


€2006  webMethods,  Inc.  All  rights  reserved.  The  webMethods  name  and  logo  are  registered  trademarks  of  webMethods,  Inc.  Get  There  Faster  is  a  trademark  of  webMethods,  InG. 


SALES  AND  SERVICES 


CIO  SALES  OFFICES 

President  and  CEO 

Michael  Friedenberg 
508  935-4310 

Publisher 

Gary  J.  Beach 
508935-4202 

VP,  National  Associate 
Publisher 

Bob  Melk  •  415  975-2685 
Sales  Operations  Manager 

Dawn  Cora 
508  935-4092 
Fax  •  508  879-6063 

EAST  COAST 

VP  Sales,  East 

Brian  Glynn 
508  935-4586 

Regional  Sales  Manager 

Ellie  St.  Louis 
201634-2332 

Senior  Sales  Associate 

Norma  Tamburrino 
201634-2329 
Fax  *201 634-9513 

NORTH  CENTRAL/ 
SOUTHWEST/SOUTHEAST 

Regional  Sales  Manager 

Beth  DeVillez 
847  759-2727 

Advertising  Sales  Associate 

Kim  Giovanni 
847  759-2728 
Fax  •  847  759-2729 


WEST  COAST 

Senior  Regional  Sales  Manager 

Ai  Collins  *415  975-2686 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 
Account  Executive 

Derek  Jung  •  415  975-2683 
Fax  *415  543-2358 

SOUTHERN  CALIFORNIA 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 

ONLINE  SERVICES 
VP,  Online  Sales 

Jim  Alla  *508  988-6763 

Online  Regional  Sales 
Manager 

Tina  Dudarevitch 
718  279-2396 

Online  Regional  Sales  Manager 
Lori  Kehoe  •  415  978-3329 
Online  District  Sales  Manager 
Sara  Mascall  •  415  978-3385 

Manager,  Online  Account 
Services 

Danielle  Tetreault 
508  988-7969 

Online  Account  Services 
Specialist 

Valerie  Sumner 
508  988-7877 

Online  Ad  Sales  Associate 

Devon  Slattery  •  415  975-2687 

Online  Advertising  Specialist 

Irina  Gabechiia 
508  935-4414 


CUSTOM 

PUBLISHING 

VP,  Integrated  Media 

Matt  Avery 
508935-4796 

Director  of  Sales 

Mary  Gregory 
508  988-6765 

Executive  Editor  and 
Director  of  Operations 

Tom  Field 

Director,  Integrated 
Project  Management 

Mo  Barrett 

Managing  Editor 

Jim  Malone 

Senior  Project  Manager 

Amy  Greenleaf 

Project  Managers 

Karen  Capland 

LIST  SERVICES 

Contact  Paul  Capone  of  IDG  List 
Services  at  508  370-0865  or 
pcapone@idglist.com. 

REPRINT  SERVICES 

For  article  reprints  (100  quan¬ 
tity  or  more),  please  contact 
Jennifer  Eclipse  at  PARS 
International  at  212  221-9595 
x237  or  via  e-mail  at  jeclipse@ 
parsintl.com. 


CIO  is  published  in  the 
U.S.  as  well  as  in: 

Australia,  CIO  Australia 

www.idg.com.au 

Canada,  CIO  Canada 

cio.itworldcanada.com 

China,  CEO  &  CIO  China 

www.ceocio.com.cn 

France,  CIO  France 

www.idg.fr/cio 

Germany,  CIO  Germany 

www.cio.de 

India,  CIO  India 

91-80-521-0309/12 

Japan,  CIO  Japan 

www.idg.co.jp 

The  Netherlands, 

CIO  Netherlands 
www.cio.nl 

New  Zealand,  CIO  New  Zealand 
www.idg.co.nz 

Norway,  CIO  Business  Standard 
www.business-standard.no 
Poland,  CXO  Poland 
www.cxo.pl 

Singapore,  CIO  ACEN/ 
Hong-Kong  www.idg.com.sg 
South  Korea,  CIO  Korea 
www.cio.seoul.kr 
Sweden,  CIO  Sweden 
www.cio.idg.se 

For  further  sales  information: 

www2.cio.com/marketing/ 

aboutcio/contacts.cfm 


INDEX  OF  COMPANIES  AND  ADVERTISERS 


Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a  substantial  mention.  This  index  is 
provided  as  a  service  to  readers.  The  publisher  does  not  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

A.T.  Kearney  Inc . 25 

Aberdeen  Group  Inc . 37 

ABI  Research  . 37 

Accenture . 25 

AMR  Research  Inc . 37 

Arrow  Electronics  Inc . 25 

Bank  of  America  N. A . 70 

Bearing  Point  Inc . 70 

Blue  Cross  and  Blue 

Shield  of  Kansas  City . 54 

Bridgeman  Communications  Inc . 37 

CA  Inc . 25 

Centerfor  Creative  Leadership . 54 

Cosmetic  Essence  Inc . 25 

DoremusandCo . 25 

Dow  Chemical  Co . 97 

E*Trade  Financial  Corp . 70 

Forrester  Research  Inc . 70 

Gomez  Inc . 70 

Hewlett-Packard  Development  Co . 25 

IBM  Corp . 70 

Intel  Corp . 70 

Keane  Inc . 70 

Keefe,  Bruyette  &  Woods  Inc . 70 

Keynote  Systems  Inc . 70 

MySpace.com  . 25 

NCR  Corp . 70 


Northwestern  Mutual . 25 

ODIN  Technologies .  37 

PharMerica  Inc . 54 

PricewaterhouseCoopers  LLP  . 82 

Results  Workplace  Coaching . 54 

RSA  Security  Inc . 70 

Sony  Corp . 82 

Texas  Instruments  Inc . 37 

Thomasville  Furniture  Industries . 37 

Wachovia  Corp . 70 

Wells  Fargo . 70 

Yankee  Group . 25 

YouTube  Inc . 25 

ADVERTISER  INDEX 

Apani  Networks  Inc . 15 

Avaya  Inc . 61 

CA . C4 

CDWCorp . 47 

Cingular  Wireless . C3 

Citrix  Systems  Inc . 39 

CXO  Media  Inc . 57,74,81,103 

Dell  Inc . 4 

EMC2  Corp . 43 

ESRI . 13 

Fortify  Software . 11 

FrontRange  Solutions . 51 

Fujitsu  Computer  Systems  Corp . 33 


Global  Crossing . 53 

Hewlett-Packard  Co.  (regional) . 89 

Hewlett-Packard  Co . 7, 56a 

IBM  Corp.  (regional) . 74 

IBM  Corp . C2.16 

Informatica  Corp . 93 

Information  Builders  . 73 

Intel  Corp . 29, 45 

Internet  Security  Systems . 99 

(ISC)2 . 35 

Juniper  Networks  Inc . 79 

Manpower  Inc . 27 

Mexico . 96 

Microsoft  Corp . 8, 41, 58, 80a 

NEC  Corp . 63 

Novell  Inc . 68 

Orange  Business  Services . 85 

Right  Now  Technologies . 21 

SAP . 49 

SAS . : . 24 

Siemens  Corp . 19 

Sterling  Commerce  . 23 

SunGard  Availability  Services . 95 

VeriSign  Inc . 2 

Verizon . 36 

webMethods  Inc . 101 

Xerox  Corp . 77 


CIO  CONTACT 
INFORMATION 

Editorial,  Advertising  and 
Business  Offices:  CXO  Media 
Inc.,  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  pub¬ 
lished  semimonthly  and  as  a 
combined  issue  Dec.  15/Jan.  1  by 
CXO  Media  Inc.  Periodicals  post¬ 
age  paid  at  Framingham,  MA,  and 
at  additional  mailing  offices.  Can¬ 
ada  Publications  Mail  Agreement 
Number  1902075.  CANADIAN 
POSTMASTER:  Please  return 
undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A7C9. 

Permissions:  Copyright  2006 
by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of 
material  appearing  in  CIO 
is  forbidden  without  written 
permission.  Send  all  requests 
to  Yadira  Pizarro,  PARS  Interna¬ 
tional,  212  221-9595,  Ext.  231, 
or  yadira@parsintl.com. 

Photocopy  Rights:  Permission 
to  photocopy  for  internal  or 
personal  use  or  the  internal  or 
personal  use  of  specific  clients  is 
granted  by  CIO  for  users  through 
the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3 
per  copy  of  the  article,  plus  $.50 
per  page  is  paid  directly  to  Copy¬ 
right  Clearance  Center,  27  Con¬ 
gress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does 
not  extend  to  contributed  articles 
followed  by  this  symbol:  $. 

Subscriptions:  CIO  is  free  to 
qualified  information  executives. 
To  apply,  use  our  online  subscrip¬ 
tion  form  at  www.subscribe. 
c/o. com.  Subscriptions  are  also 
available  on  a  paid  basis  at  a 
rate  of  $95  for  the  United  States 
and  Canada,  $195  International 
(payable  in  U.S.  funds  only)  and 
may  be  ordered  online  at  www. 
subscribe.cio.com/services. 
html.  Or  address  inquiries  to 
CIO,  P.O.  Box  489,  Northbrook, 

I L  60065-0489;  866  354-1125. 
Please  allow  four  to  six  weeks  for 
a  new  subscription  to  begin.  The 
single  copy  price  is  $9  for  the 
United  States  and  Canada,  and 
$15  International.  Prepayment  is 
required,  payable  in  U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio 
and  follow  the  online  instructions. 

Postmaster:  Send  change  of 
address  to  CIO,  P.O.  Box  489, 
Northbrook,  IL  60065-9816. 
Printed  in  the  U.S. A. 


102  SEPTEMBER  15,  2006  |  www.cio.com 


107  The  Year  Ahead 

Beyond  Technology:  The  Forces  Driving 
Change  and  Growth 

November  5-7,  2006 

Wild  Horse  Pass  Resort  &  Spa 
Phoenix,  AZ 


With  Conference  Moderator,  Jonathan  Zittrain,  Chair,  Internet 
Governance  &  Regulation,  University  of  Oxford,  the  fourth  annual 
CIO 1 07  conference  will  explore  the  forces  shaping  business  and 
impacting  your  IT  strategy;  from  global  economies  to  politics, 
sourcing  and  more. 

Key  Speakers 


►  Chris  Anderson,  Editor-in-Chief,  Wired  magazine 

►  Jerry  Bartlett,  CIO,  TD  Ameritrade 

►  Lev  Gonick,  Vice  President  Information  Technology  Services  &  CIO, 
Case  Western  Reserve  University 

►  Vince  Kellen,  Vice  President  Information  Services,  DePaul  University 

►  Richard  Thomas,  Vice  President,  CTO,  Quintiles  Transnational  Corp. 


The  must  attend  event  for  CIOs  and  other  senior  IT  executives  planning  for  the  year  ahead! 

Key  Topics 

►  Polishing  the  Crystal  Ball:  Predictions  for  the  Economy 

►  Working  Better  Together:  Improving  Business-IT  Collaboration 

►  Preparing  for  Tomorrow's  Enterprise  Architecture 

►  Going  Green:  The  Role  of  IT 

►  Prospering  Despite  a  Workforce  Shortage 


Networking  Opportunities 

►  CIO  Executive  Council  Open  House 

►  Welcome  Reception 

►  Hospitalities 

To  learn  more,  visit  www.cio.com/cio07_2006 

Register  before  October  6  to  save  $300  off  the  regular  rate!  No  special  code  required. 

CIO  event  alumni  may  register  with  the  alumni  rate*  to  save  $400.  Use  promotion  code  ALUMNI. 

*Based  on  verification  only. 


Underwriter  Official  Hosts  Corporate  Sponsors 

Xcingular  <bmcsoftware  i  R  I  S  e"  4)  red  hat.  s?s  BlackBerry  %  Symantec,  0  consentry 

raising  tn©  Dar%i  visualize-  innovate  deliver*  ^  v. 


BY  SCOTT  BERINATO 


ADVENTURES  IN  CUSTOMER  SERVICE 


The  Local 
State  of 
Information 
Security  2006 

A  true  story  (enhanced) 

rm  ****  ****  ****  1781.  That’s  what  the 
Big  Credit  Card  Company  calls  me  after 
The  System  verifies  my  address,  phone 
number,  date  of  birth,  dog’s  name,  wife’s 
name  and,  of  course,  my  CVC. 

"My  CVC?"  I  ask.  “What’s  that?" 

"Card  Validation  Code,”  the  voice  says. 
“It’s  also  called  a  Card  Verification  Value, 
or  CVV.  Sometimes  it’s  called  a  Card  Iden¬ 
tification  Number,  which  you  would  think 
is  a  CIN  but  is  actually  a  CID.  Anyway,  it’s 
three  digits  on  the  back  of  your  card  if  you 
have  a  CVV  or  CVC.  If  it’s  a  CID,  it’s  four 
digits  on  the  front  of  your  card.” 

So  I  find  the  CVC  and  the  voice  trans¬ 
forms  into  Susie.  “How  can  I  help  you 
today,  ****  ****  ****  1781?"  she  chirps. 

“You  could  call  me  Scott.” 

“Great,  Scott.  I’ll  make  a  note  of  that  in 
The  System.  Is  there  anything  else  I  can 
do  for  you  today?” 

“Yes.  I  received  a  letter  saying  that 
you've  closed  my  account  because  of 
some  unspecified  unauthorized  access." 

"Yes,  Dave.  I  see  that  right  here." 

“Scott." 

“Who?” 

"Never  mind.  So,  what  happened?” 

"I’m  sorry,  Steve.  I'm  not  authorized  to 
possess  that  information.” 

“Right.  Well,  you  said  you’d  issue  me  a 
new  card  with  a  new  account  number.” 

"That’s  true.  Your  new  card  was  deliv¬ 
ered  to  your  residence  on  the  17th." 

“That’s  right.  And  I’d  like  to  activate  it 


but  nothing  says  how  to  do  that.” 

Susie  laughs.  “Why,  that  card  has 
already  been  activated,  Steve.” 

“You  sent  me  a  live  credit  card  in  the 
mail,  Susie?” 

“Yes,  Steve.  We  try  to  make  things 
easier  for  you.  We  try  to  delight  you  with 
customer  service.” 

Blood  boiling,  I  say  through  clenched 
teeth,  “Susie,  put  your  supervisor  on!” 

Susie  is  crushed  by  my  lack  of  delight. 
“Please  hold,”  she  says,  a  little  less  chirpy. 

After  awhile,  a  soothing  instrumental 
version  of  “Sympathy  for  the  Devil”  is  inter¬ 
rupted  by:  “This  is  Kyle,  your  customer  ser¬ 
vice  champion.  How  can  I  help  you,  Dave?” 

“Scott.  Kyle,  do  you  think  sending  an 
activated,  live  credit  card  through  the  mail 
is  a  secure  practice?" 

“Well,  maybe  not,  Steve,  but—” 

“Yeah,  maybe  not!" 

Kyle’s  friendliness  is  like  steel.  It  won’t 
bend.  “But  The  System  automatically 
activates  the  card  for  you.  And  there’s 
already  a  $29  charge  on  it." 


“A  charge?  For  what?” 

“Your  newspaper  subscription.” 

“But  in  the  letter  you  sent  me  you  said 
I’d  have  to  call  the  people  who  automati¬ 
cally  charge  my  account  to  inform  them  of 
the  new  card  number." 

“Well,  The  System  already  did  that." 

“You  sent  the  newspaper  company 
my  new  number  without  telling  me?  Do 
you  really  think  that’s  a  secure  way  to  do 
things?"  I  ask,  now  utterly  undelighted. 

"I’m  not  sure,"  says  Kyle.  “In  any  case, 
I’m  not  authorized  to  have  an  opinion.” 

“Well,  I  don’t  think  it’s  secure  and  I 
don’t  want  you  ever  doing  it  again.  Ever!" 

“We’ll  make  a  note  of  that.  Would  you 
like  your  new  balance,  Steve?” 

"It’s  Scott,  and  you  already  told  me  it’s 
$29,  right?” 

“Well,  that  was  due  yesterday.  At  18  per¬ 
cent  interest,  your  balance  is  now  $29.97. 

If  you’d  like,  Steve,  you  can  pay  that  elec¬ 
tronically  right  now.  I’ll  just  need  your 
PIN,  your  CVV,  CVC  or  CID,  your  mother’s 
maiden  name,  your  dog’s....”  HE] 


amnn 


104  SEPTEMBER  15,  2006  |  www.cio.com 


ILLUSTRATION  BY  RYAN  SNOOK 


now 


Wireless  email 


is  a  business  tool, 
not  a  perk. 


Give  your  employees  the  tool  to  keep  them 
connected  even  when  they're  out  of  the  office. 
Give  them  Cingular's  real-time  wireless  email  and 
watch  productivity  skyrocket.  Give  them  now. 


>  Solutions  are  easy  to  implement  and  scalable  to 
meet  a  business's  growing  needs. 

>  Triple  data  encryption  ensures  critical  information 
stays  secure. 

>  24/7  customer  support  for  worry-free  service. 

>  From  the  #1  provider  of  wireless  email  for  business. 

>  Runs  on  ALLOVER7  the  largest  digital  voice  and 
data  network  in  America. 


CINGULAR  8125 


CINGULAR  MAKES  BUSINESS  RUN  BETTER 


Call  1-866-4CWS-B2B  Click  www.cingular.com/wirelessemail  Contact  your  account  representative 


X  cingular 

raising  the  barr-.ill 


The  ALLOVER  network  covers  over  273  million  people  and  is  growing.  Coverage  not  available  in  all  areas.  Certain  email  systems  may  require  additional  hardware  and/or  software  to  access. 

©2006  Cingular  Wireless.  All  rights  reserved. 


Remember  when  technology 
had  the  ability  to  amaze  you? 


Believe  again. 

Now  you  can  believe  in  a  new  kind  of  IT  management.  Unified  and  simplified  to  make  your 
business  more  productive,  nimble,  competitive  and  secure. 

We  all  know  that  companies  are  demanding  more  from  IT  —  expecting  IT  to  be  a  strategic 
and  competitive  advantage.  Yet  today's  complex  IT  environments  require  you  to  manage 
across  point  solutions,  siloed  organizations  and  redundant  technology. 

A  better  alternative?  Choose  an  integrated  approach  to  IT  management.  An  approach  in 
which  software  unifies  your  people,  processes  and  technology  to  increase  efficiency  and 
optimization.  Only  one  global  software  company  can  do  that.  CA,  formerly  known  as 
Computer  Associates,  has  focused  solely  on  IT  management  software  for  over  30  years. 

Our  technology  vision  that  makes  this  promise  real  is  called  Enterprise  IT  Management, 
or  EITM.  At  its  heart  is  the  CA  Integration  Platform  —  a  common  foundation  of  shared 
services  that  gives  you  real-time,  dynamic  control  and  flexibility.  Its  greatest  benefit? 

CA  software  solutions  come  to  you  already  integrated,  and  able  to  integrate  with  your 
existing  technology  to  optimize  your  entire  IT  environment. 

Ultimately,  a  well-managed  IT  environment  gives  you  the  visibility  and  control  you  need 
to  manage  risk,  manage  costs,  improve  service  and  align  IT  investments.  To  learn  more 
about  how  CA  and  our  wide  array  of  partners  can  help  you  unify  and  simplify  your  IT 
management,  visit  ca.com/unify. 


Copyright  ©  2006  CA.  All  rights  reserved. 


Transforming 
IT  Management 


